server-auth icon indicating copy to clipboard operation
server-auth copied to clipboard
verified publisher icon OCA

[15.0][FIX] auth_saml: do not force using vulnerable cryptography module

Open vincent-hatakeyama opened this issue 1 year ago • 8 comments

Without this fix, it is impossible to use an upgraded version of cryptography with this module.

It is still necessary to check for compatibility, so that information is added to the install instructions.

vincent-hatakeyama avatar Apr 22 '24 15:04 vincent-hatakeyama

/ocabot merge patch

vincent-hatakeyama avatar Apr 29 '24 15:04 vincent-hatakeyama

Sorry @vincent-hatakeyama you are not allowed to merge.

To do so you must either have push permissions on the repository, or be a declared maintainer of all modified addons.

If you wish to adopt an addon and become it's maintainer, open a pull request to add your GitHub login to the maintainers key of its manifest.

OCA-git-bot avatar Apr 29 '24 15:04 OCA-git-bot

/ocabot rebase

thomaspaulb avatar Jun 06 '24 19:06 thomaspaulb

@thomaspaulb The rebase process failed, because command git push --force xcgd tmp-pr-640:15.0-auth_saml-fix-cryptography_version failed with output:

remote: Permission to xcgd/server-auth.git denied to OCA-git-bot.
fatal: unable to access 'https://github.com/xcgd/server-auth/': The requested URL returned error: 403

OCA-git-bot avatar Jun 06 '24 19:06 OCA-git-bot

@vincent-hatakeyama Could you rebase or allow access

thomaspaulb avatar Jun 06 '24 19:06 thomaspaulb

@vincent-hatakeyama Could you rebase or allow access

I’ve juste rebased.

vincent-hatakeyama avatar Jun 07 '24 14:06 vincent-hatakeyama

@sbidoul I need your input here.. this goes against this. Is test-requirements.txt OK to edit directly or is there some setup.py magic that we should do to override the module dependency for the test, but not for the module itself?

Or, come to think of it, could we override it there, to let the requirements.txt include the limit but to leave the module's manifest free for users of the module to decide?

thomaspaulb avatar Jun 07 '24 18:06 thomaspaulb

I agree we should not place an upper bound on cryptography in the module. My initial approach was not optimal. This PR is better.

Last time I checked, the pin on pyopenssl 19 on Odoo's requirements.txt was not really necassary? So another approach could be putting a minimum pyopenssl version in auth_saml2's external dependencies. I think we have done that somewhere, but I can't find it right now.

Longer term, I would like to try and stop using Odoo's requirements.txt in oca/oca-ci, in favor of a custom set of upper bounds on dependencies that are known not to work with Odoo (things like xlrd<2, etc...).

sbidoul avatar Jun 10 '24 09:06 sbidoul

@vincent-hatakeyama Could you rebase or allow access

I’ve rebased again.

vincent-hatakeyama avatar Sep 18 '24 07:09 vincent-hatakeyama

Sounds like a good solution.

/ocabot merge patch

sbidoul avatar Sep 18 '24 07:09 sbidoul

This PR looks fantastic, let's merge it! Prepared branch 15.0-ocabot-merge-pr-640-by-sbidoul-bump-patch, awaiting test results.

OCA-git-bot avatar Sep 18 '24 07:09 OCA-git-bot

Congratulations, your PR was merged at 241f1b8c4a711f8425fc2a3356f54d0a3083d65c. Thanks a lot for contributing to OCA. ❤️

OCA-git-bot avatar Sep 18 '24 07:09 OCA-git-bot