Expanded auth system #160
Expanded auth system #160
Conversation
| my ($self) = @_; | ||
| my $headers = $self->req->headers; | ||
| my $username = 'FakeUser'; | ||
| my $email = 'fake@user.org'; |
There was a problem hiding this comment.
How about using "Admin" or "Demo"? The reason I came up with fake auth was demoing openQA in front of "customers". I fear "FakeUser" looks a bit odd in such situation :)
|
Are you still storing the full openid url for a user? That is needed in case the openid provider is switched. |
|
No, I don't store openid url anymore, just username. |
- rename Users table column openid to username
- only when not logged in - when logged in return 403 as before
- plugins are stored in OpenQA/Auth directory as OpenQA::Auth packages - plugins must export auth_config, auth_login, auth_logout methods - plugins return hash (error => int, redirect => string) or undef error = 0 means success, if redirect is set, Session controller redirects - which plugin to use is specified in [auth] section of openqa.ini (by default OpenID) - when response from auth server is required (as in OpenID), response route is linked to auth_response
|
I restored storing of openid identity urls in username column and removed any attempts to automatically match username to identity urls. In docu I thus plan to add note if admin wants to change auth method, she should prepare users db migration by herself. |
|
I'd tend to merge this (especially as I need to rebase my branch once more for one more migration), but I think what we're missing is documentation on how to set this up. |
|
I'll add the proper docu today, but in few words: For OpenID auth there is no change needed. To activate different auth methods just change [auth] method option in openqa.ini. |
|
but fake auth is the one we should default to in git IMO. |
|
I've a small concern, removed openid section from defaults, actually the code below will ignore your openid config in the openqa.ini for example it will always httpsonly even I sets httpsonly=0 in openqa.ini...doesn't it? |
|
hmm..I've opened #166 |
6b6002d added iChain, in github PR os-autoinst#160 and progress ticket https://progress.opensuse.org/issues/1729. When trying to cover authentication modules with better tests I realized that there is already a typo in one of the request parameters. I doubt iChain authentication ever worked or would still work. I assume it is not used at all so we are better off removing it from the current code.
Contrary to the branch name this does not contain nonblocking openid. Instead this introduces plugin based authentication system together with plugins for OpenID, iChain and Fake auth (for development purposes).