Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth redesign #687

Merged
merged 5 commits into from
Dec 14, 2015
Merged

Auth redesign #687

merged 5 commits into from
Dec 14, 2015

Conversation

ejholmes
Copy link
Contributor

I've added Godeps in this, so you probably want to ignore the first commit.

This is a redesign of the authentication and authorization layer to fix some bugs and improve the existing behavior, as well as open it up for the addition of more granular authorization in the (near?) future.

But, primarily, this does the following:

  1. The idea of authentication and authorization have been decoupled from each other. This fixes a potential security vulnerability where if a user leaves a github organization, their empire access tokens would still be valid. Organization membership is always checked now (however, the implementation should probably cache in memory for some reasonable amount of time for perf reasons this now gets cached for 30 minutes in memory, if the authorization check is positive).
  2. You can now use an existing auth token to obtain a new auth token.
  3. You can now use github credentials and otp for normal API requests (although, you're still better off using those creds to obtain an access token).
  4. A nice side effect of this is that the entire API can now be wrapped in authorization instead of each individual endpoint. This makes it less likely that we add an endpoint and forget to wrap it with authentication.
  5. The flaky test failures on server/authorization/github/client_test.go have been fixed.

Configuration is also logged on boot now:

server_1   | 2015/12/14 03:45:16 Using GitHub authentication backend with the following configuration:
server_1   | 2015/12/14 03:45:16   ClientID: e9a709caf6124bb46c23
server_1   | 2015/12/14 03:45:16   ClientSecret: ****
server_1   | 2015/12/14 03:45:16   Scopes: [repo_deployment read:org]
server_1   | 2015/12/14 03:45:16   GitHubAPI:
server_1   | 2015/12/14 03:45:16 Adding GitHub Organization authorizer with the following configuration:
server_1   | 2015/12/14 03:45:16   Organization: remind101

TODO

  • Add an in memory caching implementation of the Authorizer interface.
  • Add an Authenticator that can accept github access tokens. This would be really nice to support for automation: just create a new github personal access token and supply it as the password in basic auth.
  • Add an Authorizer implementation that check's team membership.

This was referenced Dec 13, 2015
Merged
Closed
@phobologic
Copy link
Contributor

Awesome stuff man. 👍

ejholmes added a commit that referenced this pull request Dec 14, 2015
@ejholmes
Merge pull request #687 from remind101/auth
a767cbd 
Auth redesign
@ejholmes ejholmes merged commit a767cbd into master Dec 14, 2015
@ejholmes ejholmes deleted the auth branch December 14, 2015 22:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ejholmes @phobologic