From 2396767220d2c2c75a5ae86591f59f2b2096955f Mon Sep 17 00:00:00 2001
From: Peter Boers <peter.boers@surf.nl>
Date: Mon, 21 Oct 2024 05:47:33 -0400
Subject: [PATCH 1/2] Upgrade Authlib (#68)

* Upgrade Authlib

* Bump version and patch CVE in authlib, Dropping Pydantic v1 support
---
 .bumpversion.cfg                   |  2 +-
 .github/workflows/pull-request.yml | 16 ----------------
 .github/workflows/test-package.yml | 17 +++--------------
 oauth2_lib/__init__.py             |  2 +-
 oauth2_lib/fastapi.py              |  4 ++--
 pyproject.toml                     |  5 +++--
 tests/test_fastapi.py              |  2 +-
 7 files changed, 11 insertions(+), 37 deletions(-)
 delete mode 100644 .github/workflows/pull-request.yml

diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index b238b4e..127c38a 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2.1.0
+current_version = 2.2.0
 commit = False
 tag = False
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)(?P<build>\d+))?
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
deleted file mode 100644
index 11d3853..0000000
--- a/.github/workflows/pull-request.yml
+++ /dev/null
@@ -1,16 +0,0 @@
-name: Pull Request on Branch Push
-on:
-  push:
-    branches-ignore:
-      - main
-jobs:
-  auto-pull-request:
-    name: PullRequestAction
-    runs-on: ubuntu-latest
-    steps:
-      - name: pull-request-action
-        uses: vsoch/pull-request-action@1.0.13
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          BRANCH_PREFIX: ""
-          PULL_REQUEST_BRANCH: "main"
diff --git a/.github/workflows/test-package.yml b/.github/workflows/test-package.yml
index fb3b38d..303b794 100644
--- a/.github/workflows/test-package.yml
+++ b/.github/workflows/test-package.yml
@@ -13,7 +13,6 @@ jobs:
     strategy:
       matrix:
         python-version: ['3.11', '3.12']
-        pydantic-version: ['1.*', '2.*']
       fail-fast: false
     steps:
       - uses: actions/checkout@v2
@@ -26,8 +25,6 @@ jobs:
           python -m pip install --upgrade pip
           pip install flit
           flit install --deps develop
-          pip install -U "pydantic==${{ matrix.pydantic-version }}"
-          pip install pydantic_settings || true
       - name: Check formatting
         run: |
           black --check .
@@ -42,16 +39,8 @@ jobs:
           apache-license-check --copyright "2019-`date +%Y` SURF" oauth2_lib
       - name: Test with pytest
         run: |
-          pytest -vvv --cov-branch --cov-fail-under=80 --cov=oauth2_lib --cov-config=.coveragerc
-        env:
-          COVERAGE_FILE: reports/.coverage.${{ matrix.python-version }}
-      - name: Upload pytest test results
-        uses: actions/upload-artifact@v2
-        with:
-          name: reports
-          path: reports
-        # Use always() to always run this step to publish test results when there are test failures
-        if: ${{ matrix.pydantic-version == '2.*' }} && ${{ always() }}
+          mkdir reports
+          pytest -vvv --cov-branch --cov-fail-under=80 --cov=oauth2_lib --cov-config=.coveragerc --cov-report=xml
   coverage-combine:
     needs: [build]
     runs-on: ubuntu-latest
@@ -61,7 +50,7 @@ jobs:
         with:
           python-version: '3.8'
       - name: Get coverage files
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: reports
           path: reports
diff --git a/oauth2_lib/__init__.py b/oauth2_lib/__init__.py
index 39a489c..759a3b3 100644
--- a/oauth2_lib/__init__.py
+++ b/oauth2_lib/__init__.py
@@ -13,4 +13,4 @@
 
 """This is the SURF Oauth2 module that interfaces with the oauth2 setup."""
 
-__version__ = "2.1.0"
+__version__ = "2.2.0"
diff --git a/oauth2_lib/fastapi.py b/oauth2_lib/fastapi.py
index dc2ede7..e5254e1 100644
--- a/oauth2_lib/fastapi.py
+++ b/oauth2_lib/fastapi.py
@@ -253,7 +253,7 @@ async def check_openid_config(self, async_client: AsyncClient) -> None:
                 status_code=HTTPStatus.SERVICE_UNAVAILABLE,
                 detail=f"Could not load openid config from {self.openid_config_url}",
             )
-        self.openid_config = OIDCConfig.parse_obj(response.json())
+        self.openid_config = OIDCConfig(**response.json())
 
 
 class Authorization(ABC):
@@ -299,7 +299,7 @@ async def get_decision(self, async_client: AsyncClient, opa_input: dict) -> OPAR
 
         json_result = result.json()
         logger.debug("Received decision from policy agent", decision=json_result)
-        return OPAResult.parse_obj(json_result)
+        return OPAResult(**json_result)
 
     def evaluate_decision(self, decision: OPAResult, **context: dict[str, Any]) -> bool:
         did = decision.decision_id
diff --git a/pyproject.toml b/pyproject.toml
index d4b6897..c4199b0 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -33,8 +33,9 @@ requires = [
     "structlog>=20.2.0",
     "fastapi>=0.90.1",
     "httpx[http2]>=0.23.0,<0.27.0",
-    "authlib==1.0.1",
-    "pydantic",
+    "authlib==1.3.1",
+    "pydantic>=2",
+    "pydantic-settings",
     "strawberry-graphql>=0.171.1",
     "asyncstdlib",
 ]
diff --git a/tests/test_fastapi.py b/tests/test_fastapi.py
index ed1eb7c..9554770 100644
--- a/tests/test_fastapi.py
+++ b/tests/test_fastapi.py
@@ -112,7 +112,7 @@ def oidc_auth():
 async def test_openid_config_success(make_mock_async_client, discovery, oidc_auth):
     mock_async_client = make_mock_async_client(MockResponse(json=discovery))
     await oidc_auth.check_openid_config(mock_async_client.client)
-    assert oidc_auth.openid_config == OIDCConfig.parse_obj(discovery)
+    assert oidc_auth.openid_config == OIDCConfig(**discovery)
     mock_async_client.client.get.assert_called_once_with("openid_url/.well-known/openid-configuration")
     assert oidc_auth.openid_config.issuer == discovery["issuer"], "OpenID configuration not loaded correctly"
 

From a55dfd7f553a170b1acd41b5001fc4b86dce6c93 Mon Sep 17 00:00:00 2001
From: Peter Boers <peter.boers@surf.nl>
Date: Mon, 21 Oct 2024 11:49:52 +0200
Subject: [PATCH 2/2] No Cov for now

---
 .github/workflows/test-package.yml | 48 +++++++++++++++---------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/.github/workflows/test-package.yml b/.github/workflows/test-package.yml
index 303b794..f13b7b1 100644
--- a/.github/workflows/test-package.yml
+++ b/.github/workflows/test-package.yml
@@ -41,27 +41,27 @@ jobs:
         run: |
           mkdir reports
           pytest -vvv --cov-branch --cov-fail-under=80 --cov=oauth2_lib --cov-config=.coveragerc --cov-report=xml
-  coverage-combine:
-    needs: [build]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.8'
-      - name: Get coverage files
-        uses: actions/download-artifact@v4
-        with:
-          name: reports
-          path: reports
-      - run: pip install coverage[toml]
-      - run: ls -la reports
-      - run: coverage combine reports
-      - run: coverage report
-      - run: coverage xml
-      - name: "Upload coverage to Codecov"
-        uses: codecov/codecov-action@v3
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          fail_ci_if_error: true
-          files: ./coverage.xml
+#  coverage-combine:
+#    needs: [build]
+#    runs-on: ubuntu-latest
+#    steps:
+#      - uses: actions/checkout@v3
+#      - uses: actions/setup-python@v5
+#        with:
+#          python-version: '3.8'
+#      - name: Get coverage files
+#        uses: actions/download-artifact@v4
+#        with:
+#          name: reports
+#          path: reports
+#      - run: pip install coverage[toml]
+#      - run: ls -la reports
+#      - run: coverage combine reports
+#      - run: coverage report
+#      - run: coverage xml
+#      - name: "Upload coverage to Codecov"
+#        uses: codecov/codecov-action@v3
+#        with:
+#          token: ${{ secrets.CODECOV_TOKEN }}
+#          fail_ci_if_error: true
+#          files: ./coverage.xml