Implement SASL authorisation identity #3790
Conversation
captain-caveman2k
force-pushed
the
sasl-authzid
branch
6 times, most recently
from
7846957
to
dd19a7b
Compare
docs/cmdline-opts/sasl-authzid.d
Outdated
| Help: Use this identity during SASL PLAIN authentication | ||
| Added: 7.65.0 | ||
| --- | ||
| Use this identity during SASL PLAIN authentication. |
There was a problem hiding this comment.
I think this could use a little expanding as if you're not a SASL PLAIN expert, this is really hard to understand.
There was a problem hiding this comment.
I have expanded this - could you please take a look and let me know what you think?
| authorisation identity for the transfer. Only applicable to the following | ||
| supporting SASL authentication mechanisms: | ||
|
|
||
| * Plain |
There was a problem hiding this comment.
Plain? If there's really only one method that curl supports that this works for, then I think having it show as a list seems to complicate the description more than necessary.
There was a problem hiding this comment.
I have updated as suggested.
| .SH DESCRIPTION | ||
| Pass a char * as parameter, which should be pointing to the zero terminated | ||
| authorisation identity for the transfer. Only applicable to the following | ||
| supporting SASL authentication mechanisms: |
There was a problem hiding this comment.
Perhaps also a word about what this string is or is used for for those who hasn't read the RFC lately?
Since we've supported SASL PLAIN logins already since before without this option, I think it could make sense to also describe what happens if a user doesn't set this option while trying SASL PLAIN.
There was a problem hiding this comment.
I have updated.
captain-caveman2k
force-pushed
the
sasl-authzid
branch
2 times, most recently
from
8f0dd36
to
71870ce
Compare
|
I think you might be early on the approval correct me if I'm wrong but this looks like WIP. The commits should be squashed into one titled in the present tense and I don't see where conn->authzid comes about from data->set.str[STRING_SASL_AUTHZID] that part looks incomplete. The doc says the default is blank but shouldn't it be NULL? If a dev wants to reset it are they doing this curl_easy_setopt(curl, CURLOPT_SASL_AUTHZID, "") or curl_easy_setopt(curl, CURLOPT_SASL_AUTHZID, NULL)? I think it should be the latter, maybe a blank entry is valid (or maybe not I don't know sasl but anyway I like NULL for consistency with the other options). |
captain-caveman2k
force-pushed
the
sasl-authzid
branch
from
71870ce
to
30fa720
Compare
|
@jay - Yes this is work in progress but this PR allows others to comment and give feedback through the development process and for Savageman to see whether it meets his requirements. Please note: There are still open questions above about the connection re-use. Initialisation of conn->authzid - Fixed, tidied up (renamed for consistency) and pushed. Thank you. Squashing - as you know I am dead against having huge monoethnic commits and encourage more contributors to split their commits up into smaller functional changes/units (just like I was encouraged to do back in 2011 when I joined the project), as it a) helps the review process and b) helps identify where problems are introduced through the use of git bisect for example. (As per our guidelines: https://curl.haxx.se/dev/contribute.html). The only commit that should probably be squashed is the correction of existing tests which I have now reworked into it's own functional unit (Now the second commit). Docs - Default is blank or NULL. I have no preference. blank is what was present from the document I copied to create this one (either CUROPT_MAIL_FROM or CURLOPT_PASSWORD - I can't remember which). Reset of option - Either should work. In the event that NULL is passed to the Curl_auth_create_plain_message() function, it will detect this and set zlen to 0. In the event that "" is passed it will use strlen() which will return 0 and also set zlen to the same. |
captain-caveman2k
force-pushed
the
sasl-authzid
branch
2 times, most recently
from
27a1def
to
f986d23
Compare
|
Can I suggest you use [WIP] (or similar) in the title then while the PR is not yet ready? |
Yes, totally appropriate. I was only pointing out it looked like a WIP (sometimes titled as [WIP]) and early on the approval.
Respectfully though people do that in PRs all the time they're squashed before going upstream because they address a single issue. It may be useful for review just not useful upstream. There is no benefit to having --sasl-authzid separate from CURLOPT_SASL_AUTHZID separate from a working implementation in the library. That's 3 piecemeal commits that could be one with a commit message that outlines each of those things. That said one of the other commits arguably does address a separate issue by not sending authcid as authzid. My advice is send that one commit upstream with refs to 3653 and here then rebase on that. (edit: Travis seems to be bogged down so the CI still isn't complete, so I can't tell if the modified tests passed) |
captain-caveman2k
force-pushed
the
sasl-authzid
branch
from
f986d23
to
73e4fa2
Compare
captain-caveman2k
changed the title
Added. I did look for a WiP label but couldn't see one - I even contemplated adding one but didn't in the end ;-) |
|
I've pondered that too, but I've used [WIP] before myself. It's possibly slightly more visible. github also allows the creation of a PR that is sort of wip, but for some reason our travis jobs don't run in those so they're not as useful right now. |
captain-caveman2k
force-pushed
the
sasl-authzid
branch
from
73e4fa2
to
b838f35
Compare
captain-caveman2k
force-pushed
the
sasl-authzid
branch
2 times, most recently
from
d81aac5
to
3383ff3
Compare
captain-caveman2k
force-pushed
the
sasl-authzid
branch
from
c43bfe1
to
4377882
Compare
captain-caveman2k
removed
the
feature-window
captain-caveman2k
changed the title
|
Temporarily reverted in db8ec1f due to pending patch release. |
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes curl#3653 Closes curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
- Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to grandparent commit which added the tests. Ref: curl#3653 Ref: curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes curl#3653 Closes curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
- Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to grandparent commit which added the tests. Ref: curl#3653 Ref: curl#3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #xxxx
Added the ability for the calling program to specify the authorisation identity (authzid), the identity to act as, in addition to the authentication identity (authcid) and password when using SASL PLAIN authentication. Fixes #3653 Closes #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #4186
- Change data and protocol sections to CRLF line endings. Prior to this change the tests would fail or hang, which is because certain sections such as protocol require CRLF line endings. Follow-up to grandparent commit which added the tests. Ref: #3653 Ref: #3790 NOTE: This commit was cherry-picked and is part of a series of commits that added the authzid feature for upcoming 7.66.0. The series was temporarily reverted in db8ec1f so that it would not ship in a 7.65.x patch release. Closes #4186
|
Is it this intented to be merged again? |
I moved it to #4186 for CI rather than take this one over. It landed yesterday. |
|
@jay: Great news — thank you! |
This patch set adds support for the authorisation identity to IMAP, POP3 and SMTP when using the PLAIN SASL authentication mechanism.
Questions: