Add guest user capability #3
Conversation
This data will be used to generate authentication artifacts for users outside the team.
This enables users in the _data/private/hub/guest_users.yml list to access the Hub. Authenication includes are generated, but do not link to any pages. On top of being a nice touch, they're necessary to avoid breaking the Server Side Include directive in _layouts/bare.html, since there's no means of checking the existence of an included file in SSI itself. We could write a small CGI process to check this and generate the authentication include on the fly, but that defeats the purpose of keeping the Hub otherwise all-static.
| @@ -6,24 +6,37 @@ class Auth | |||
| # true. | |||
| # +site+:: Jekyll site object | |||
| def self.generate_artifacts(site) | |||
| return if site.config['public'] | |||
| return if site.config['public'] == true | |||
There was a problem hiding this comment.
Ruby convention is rely on truthiness, unless there's some reason to explicitly check for the boolean value.
There was a problem hiding this comment.
Don't know why I did that. Fixed.
|
I don't really understand how the auth include works, but looks fine to me otherwise! Also, do you think that auth logic would be generally useful enough to move to a standalone gem (at some point)? |
|
Updated the comment for Auth.generate_user_authentication_include() to try to explain a little more clearly how the auth include works. Happy to discuss it further if it's not clear. Pushing the logic into a gem is an interesting idea. Certainly happy to consider it! |
|
Is there anything new that needs to be added to the deploy instructions? What sets |
After digging deeper into the origin of $REMOTE_USER at Aidan Feldman's request in #3, I realized that the user's entire email address was available to nginx's Server Side Include module via the embedded $http_x_forwarded_email variable, set by ngx_http_core_module: http://nginx.org/en/docs/http/ngx_http_core_module.html#var_http_ Using this to create each directory under _site/auth seems preferable to $REMOTE_USER, since having the domain name available as part of the generated directory name may help to avoid conflicts, should we ever wish to grant access to users from other domains.
|
I researched the origin of $REMOTE_USER and added those comments to the generate_user_authentication_include() comment. What's more, I realized the availability of $http_x_forwarded_email and replaced $REMOTE_USER with that variable instead, since it helps avoid potential collisions should we ever wish to grant access to someone outside the gsa.gov domain. PTAL. |
|
Oh, and no, nothing in the deploy instructions needs to be updated. |
Enables the Hub to generate authentication include files and authenticated email address entries for guest users outside of the team.
The joiner_test.rb Minitest conversion and DummyTestPage extraction are pure refactorings.