Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-google-auth for openSUSE:Factory checked in at 2025-01-12 11:10:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-google-auth (Old) and /work/SRC/openSUSE:Factory/.python-google-auth.new.1881 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "python-google-auth" Sun Jan 12 11:10:15 2025 rev:51 rq:1236166 version:2.37.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-google-auth/python-google-auth.changes 2024-12-08 11:37:32.766657731 +0100 +++ /work/SRC/openSUSE:Factory/.python-google-auth.new.1881/python-google-auth.changes 2025-01-12 11:10:48.990188458 +0100 @@ -1,0 +2,9 @@ +Thu Jan 9 11:34:17 UTC 2025 - John Paul Adrian Glaubitz <[email protected]> + +- Update to version 2.37.0 + * Allow users to use jwk keys for verifying ID token (#1641) +- from version 2.36.1 + * Improve user guide for Impersonation and SA (#1627) +- Update BuildRequires and Recommends from setup.py + +------------------------------------------------------------------- Old: ---- google_auth-2.36.0.tar.gz New: ---- google_auth-2.37.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-google-auth.spec ++++++ --- /var/tmp/diff_new_pack.Zlsifn/_old 2025-01-12 11:10:49.450207388 +0100 +++ /var/tmp/diff_new_pack.Zlsifn/_new 2025-01-12 11:10:49.454207553 +0100 @@ -1,7 +1,7 @@ # # spec file for package python-google-auth # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -18,7 +18,7 @@ %{?sle15_python_module_pythons} Name: python-google-auth -Version: 2.36.0 +Version: 2.37.0 Release: 0 Summary: Google Authentication Library License: Apache-2.0 @@ -27,6 +27,7 @@ # https://github.com/googleapis/google-auth-library-python/issues/1055 Patch1: python-google-auth-no-mock.patch BuildRequires: %{python_module Flask} +BuildRequires: %{python_module PyJWT >= 2.0} BuildRequires: %{python_module aiohttp >= 3.6.2} BuildRequires: %{python_module aioresponses} BuildRequires: %{python_module cachetools >= 2.0.0} @@ -49,6 +50,7 @@ Requires: python-pyasn1-modules >= 0.2.1 Requires: python-rsa >= 3.1.4 Requires: python-urllib3 +Recommends: python-PyJWT >= 2.0 Recommends: python-aiohttp >= 3.6.2 Recommends: python-cryptography >= 38.0.3 Recommends: python-pyOpenSSL >= 22.0.0 ++++++ google_auth-2.36.0.tar.gz -> google_auth-2.37.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/PKG-INFO new/google_auth-2.37.0/PKG-INFO --- old/google_auth-2.36.0/PKG-INFO 2024-11-06 19:05:17.942188700 +0100 +++ new/google_auth-2.37.0/PKG-INFO 2024-12-11 21:14:31.451174700 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: google-auth -Version: 2.36.0 +Version: 2.37.0 Summary: Google Authentication Library Home-page: https://github.com/googleapis/google-auth-library-python Author: Google Cloud Platform @@ -40,6 +40,9 @@ Provides-Extra: enterprise-cert Requires-Dist: cryptography; extra == "enterprise-cert" Requires-Dist: pyopenssl; extra == "enterprise-cert" +Provides-Extra: pyjwt +Requires-Dist: pyjwt>=2.0; extra == "pyjwt" +Requires-Dist: cryptography>=38.0.3; extra == "pyjwt" Google Auth Python Library ========================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/google/auth/version.py new/google_auth-2.37.0/google/auth/version.py --- old/google_auth-2.36.0/google/auth/version.py 2024-11-06 19:02:16.000000000 +0100 +++ new/google_auth-2.37.0/google/auth/version.py 2024-12-11 21:10:42.000000000 +0100 @@ -12,4 +12,4 @@ # See the License for the specific language governing permissions and # limitations under the License. -__version__ = "2.36.0" +__version__ = "2.37.0" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/google/oauth2/id_token.py new/google_auth-2.37.0/google/oauth2/id_token.py --- old/google_auth-2.36.0/google/oauth2/id_token.py 2024-11-06 19:02:16.000000000 +0100 +++ new/google_auth-2.37.0/google/oauth2/id_token.py 2024-12-11 21:10:42.000000000 +0100 @@ -82,7 +82,8 @@ """Fetches certificates. Google-style cerificate endpoints return JSON in the format of - ``{'key id': 'x509 certificate'}``. + ``{'key id': 'x509 certificate'}`` or a certificate array according + to the JWK spec (see https://tools.ietf.org/html/rfc7517). Args: request (google.auth.transport.Request): The object used to make @@ -90,8 +91,8 @@ certs_url (str): The certificate endpoint URL. Returns: - Mapping[str, str]: A mapping of public key ID to x.509 certificate - data. + Mapping[str, str] | Mapping[str, list]: A mapping of public keys + in x.509 or JWK spec. """ response = request(certs_url, method="GET") @@ -120,7 +121,8 @@ intended for. If None then the audience is not verified. certs_url (str): The URL that specifies the certificates to use to verify the token. This URL should return JSON in the format of - ``{'key id': 'x509 certificate'}``. + ``{'key id': 'x509 certificate'}`` or a certificate array according to + the JWK spec (see https://tools.ietf.org/html/rfc7517). clock_skew_in_seconds (int): The clock skew used for `iat` and `exp` validation. @@ -129,12 +131,28 @@ """ certs = _fetch_certs(request, certs_url) - return jwt.decode( - id_token, - certs=certs, - audience=audience, - clock_skew_in_seconds=clock_skew_in_seconds, - ) + if "keys" in certs: + try: + import jwt as jwt_lib # type: ignore + except ImportError as caught_exc: # pragma: NO COVER + raise ImportError( + "The pyjwt library is not installed, please install the pyjwt package to use the jwk certs format." + ) from caught_exc + jwks_client = jwt_lib.PyJWKClient(certs_url) + signing_key = jwks_client.get_signing_key_from_jwt(id_token) + return jwt_lib.decode( + id_token, + signing_key.key, + algorithms=[signing_key.algorithm_name], + audience=audience, + ) + else: + return jwt.decode( + id_token, + certs=certs, + audience=audience, + clock_skew_in_seconds=clock_skew_in_seconds, + ) def verify_oauth2_token(id_token, request, audience=None, clock_skew_in_seconds=0): diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/google_auth.egg-info/PKG-INFO new/google_auth-2.37.0/google_auth.egg-info/PKG-INFO --- old/google_auth-2.36.0/google_auth.egg-info/PKG-INFO 2024-11-06 19:05:17.000000000 +0100 +++ new/google_auth-2.37.0/google_auth.egg-info/PKG-INFO 2024-12-11 21:14:31.000000000 +0100 @@ -1,6 +1,6 @@ Metadata-Version: 2.1 Name: google-auth -Version: 2.36.0 +Version: 2.37.0 Summary: Google Authentication Library Home-page: https://github.com/googleapis/google-auth-library-python Author: Google Cloud Platform @@ -40,6 +40,9 @@ Provides-Extra: enterprise-cert Requires-Dist: cryptography; extra == "enterprise-cert" Requires-Dist: pyopenssl; extra == "enterprise-cert" +Provides-Extra: pyjwt +Requires-Dist: pyjwt>=2.0; extra == "pyjwt" +Requires-Dist: cryptography>=38.0.3; extra == "pyjwt" Google Auth Python Library ========================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/google_auth.egg-info/requires.txt new/google_auth-2.37.0/google_auth.egg-info/requires.txt --- old/google_auth-2.36.0/google_auth.egg-info/requires.txt 2024-11-06 19:05:17.000000000 +0100 +++ new/google_auth-2.37.0/google_auth.egg-info/requires.txt 2024-12-11 21:14:31.000000000 +0100 @@ -10,6 +10,10 @@ cryptography pyopenssl +[pyjwt] +pyjwt>=2.0 +cryptography>=38.0.3 + [pyopenssl] pyopenssl>=20.0.0 cryptography>=38.0.3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/setup.py new/google_auth-2.37.0/setup.py --- old/google_auth-2.36.0/setup.py 2024-11-06 19:02:16.000000000 +0100 +++ new/google_auth-2.37.0/setup.py 2024-12-11 21:10:42.000000000 +0100 @@ -33,6 +33,7 @@ "requests": "requests >= 2.20.0, < 3.0.0.dev0", "reauth": "pyu2f>=0.1.5", "enterprise_cert": ["cryptography", "pyopenssl"], + "pyjwt": ["pyjwt>=2.0", "cryptography>=38.0.3"], } with io.open("README.rst", "r") as fh: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/google_auth-2.36.0/tests/oauth2/test_id_token.py new/google_auth-2.37.0/tests/oauth2/test_id_token.py --- old/google_auth-2.36.0/tests/oauth2/test_id_token.py 2024-11-06 19:02:16.000000000 +0100 +++ new/google_auth-2.37.0/tests/oauth2/test_id_token.py 2024-12-11 21:10:42.000000000 +0100 @@ -78,6 +78,29 @@ ) [email protected]("google.oauth2.id_token._fetch_certs", autospec=True) [email protected]("jwt.PyJWKClient", autospec=True) [email protected]("jwt.decode", autospec=True) +def test_verify_token_jwk(decode, py_jwk, _fetch_certs): + certs_url = "abc123" + data = {"keys": [{"alg": "RS256"}]} + _fetch_certs.return_value = data + result = id_token.verify_token( + mock.sentinel.token, mock.sentinel.request, certs_url=certs_url + ) + assert result == decode.return_value + py_jwk.assert_called_once_with(certs_url) + signing_key = py_jwk.return_value.get_signing_key_from_jwt + _fetch_certs.assert_called_once_with(mock.sentinel.request, certs_url) + signing_key.assert_called_once_with(mock.sentinel.token) + decode.assert_called_once_with( + mock.sentinel.token, + signing_key.return_value.key, + algorithms=[signing_key.return_value.algorithm_name], + audience=None, + ) + + @mock.patch("google.auth.jwt.decode", autospec=True) @mock.patch("google.oauth2.id_token._fetch_certs", autospec=True) def test_verify_token_args(_fetch_certs, decode):
