|refactoring Gitorious::Authentication plugins||Ken Dreyer||7/4/12 8:12 AM|
Sebastian Noack and I were discussing the Gitorious::Authentication
plugins, and Sebastian brought up an interesting point.
Sebastian noticed that the Kerberos plugin only replaces dots ('.') in
usernames, but there are more invalid characters. In his SSL
Authentication plugin, he uses a regex to replace all invalid
characters. He also has a configurable option to allow admins to
transform "s.noack" to either "snoack" or "s-noack", for example.
This brings up a larger point with the Gitorious::Authentication code:
now that we have all these G::A plugins, a lot of code duplication has
sprung up. The username sanitation is a prefect example, because I
myself copied the code from the G::A::LDAPAuthentication class. If we
follow Sebastian's suggestion to fix the username sanitation in one
plugin, we really ought to fix it in all plugins. Another problem is
with security: see
example. It is tedious to have to make identical changes across
Sebastian suggested that we could use mixins to provide common
features like username transformation or auto-registration. We decided
to take the discussion to the list to get more feedback. Gitorious
devs: What do you think? Do you have any feedback on the naming or
locations of such mixins?
(Please keep Sebastian CC'd, as he's not currently subscribed to the list)
|Re: refactoring Gitorious::Authentication plugins||Sebastian Noack||7/5/12 4:07 AM|
I hope that email will also reach the group/mailinglist. I have already
done some work on the authentification plugin refactoring. The patch is
in the attachment. It would be nice to get some feedback. And can you
test whether it still works with Kerberos authentification, please?
First of all I have moved the username transformation and
auto-registration from the LDAP, Kerberos and SSL authentification
plugins into two mixins:
Those mixins can be used seperatly or in combination, like below:
That's it. The mixins will add their own code to the authentification
plugins initialization, in order to parse their options. And the
AutoRegistration mixin will also implement the authentificate() method
for you, based on get_login() and get_attributtes().
get_login() must return the login name. If you have also included the
UsernameTransformation mixin like above, the returned login name will
automatically transformed to a valid Gitorious username.
get_attributes() must return a Hash holding additional information like
email and fullname, saved during auto-registration.
After I have moved all the code into mixins, I realised that the only
difference between the Kerberos and SSL authentification plugin, is the
name of the server variables they rely on. So I replaced the Kerberos
and SSL authentification plugin, with a generic HTTP authentification
plugin, which can be configured to use any server variable as login
name or to get information during auto-registration from. The new HTTP
authentification plugin, will work with every web server based
authentification method, including Kerberos, SSL client certificates,
Basic Auth and everything else.
So what do you think, so far?