Hi mantainers,
I am writing to follow up on a previous discussion regarding HTTP password tokens (reference: https://groups.google.com/g/repo-discuss/c/UVEmpQOlXJQ/m/lGSUvtKdAQAJ).
Currently generating a new HTTP password overwrites the old one. This can disrupt CI systems and other services that rely on the old password for authentication. A previous suggestion involved maintaining the old password validity for a specific timeframe (TTL) after generating a new one.
To address this issue, I propose introducing a new field named `oldPassword` within the `ExternalIDs` entity. When a new HTTP password is generated, the new password replaces the existing `password` field and the old password is moved to the newly created `oldPassword` field. During authentication, the system would then check if the provided password matches either the current `password` or the stored `oldPassword`. Additionally, the `oldPassword` would have an associated TTL stored within `ExternalIDs` to ensure its automatic expiration.
On 14 Jun 2024, at 17:09, Xiaohan Jiang Chen <xiaohan....@arm.com> wrote:Hi mantainers,
I am writing to follow up on a previous discussion regarding HTTP password tokens (reference: https://groups.google.com/g/repo-discuss/c/UVEmpQOlXJQ/m/lGSUvtKdAQAJ).
Currently generating a new HTTP password overwrites the old one. This can disrupt CI systems and other services that rely on the old password for authentication. A previous suggestion involved maintaining the old password validity for a specific timeframe (TTL) after generating a new one.
To address this issue, I propose introducing a new field named `oldPassword` within the `ExternalIDs` entity. When a new HTTP password is generated, the new password replaces the existing `password` field and the old password is moved to the newly created `oldPassword` field. During authentication, the system would then check if the provided password matches either the current `password` or the stored `oldPassword`. Additionally, the `oldPassword` would have an associated TTL stored within `ExternalIDs` to ensure its automatic expiration.
We can see that this solution would require changes to the core Gerrit server. Therefore I wanted to start a discussion first before making any change.s I wonder if you have any thoughts on this potential solution or any suggestions for better ways we could achieve this functionality.
On 14 Jun 2024, at 17:09, Xiaohan Jiang Chen <xiaohan....@arm.com> wrote:Hi mantainers,
I am writing to follow up on a previous discussion regarding HTTP password tokens (reference: https://groups.google.com/g/repo-discuss/c/UVEmpQOlXJQ/m/lGSUvtKdAQAJ).
Currently generating a new HTTP password overwrites the old one. This can disrupt CI systems and other services that rely on the old password for authentication. A previous suggestion involved maintaining the old password validity for a specific timeframe (TTL) after generating a new one.
To address this issue, I propose introducing a new field named `oldPassword` within the `ExternalIDs` entity. When a new HTTP password is generated, the new password replaces the existing `password` field and the old password is moved to the newly created `oldPassword` field. During authentication, the system would then check if the provided password matches either the current `password` or the stored `oldPassword`. Additionally, the `oldPassword` would have an associated TTL stored within `ExternalIDs` to ensure its automatic expiration.I believe we just need a way to have a user with multiple passwords, exactly as we have a way to have a user with multiple SSH keys.“old” prefix looks a bit short-sighted.
Also I like the approach of setting an expire date, I would also argue that we do need a way to configure the algorithm as different companies may have different security constraints.
On 17 Jun 2024, at 10:58, Xiaohan Jiang <xiaoh...@gmail.com> wrote:Thanks for you reply, really appreciate your feedback!On Monday 17 June 2024 at 09:27:38 UTC+1 Luca Milanesio wrote:On 14 Jun 2024, at 17:09, Xiaohan Jiang Chen <xiaohan....@arm.com> wrote:Hi mantainers,
I am writing to follow up on a previous discussion regarding HTTP password tokens (reference: https://groups.google.com/g/repo-discuss/c/UVEmpQOlXJQ/m/lGSUvtKdAQAJ).
Currently generating a new HTTP password overwrites the old one. This can disrupt CI systems and other services that rely on the old password for authentication. A previous suggestion involved maintaining the old password validity for a specific timeframe (TTL) after generating a new one.
To address this issue, I propose introducing a new field named `oldPassword` within the `ExternalIDs` entity. When a new HTTP password is generated, the new password replaces the existing `password` field and the old password is moved to the newly created `oldPassword` field. During authentication, the system would then check if the provided password matches either the current `password` or the stored `oldPassword`. Additionally, the `oldPassword` would have an associated TTL stored within `ExternalIDs` to ensure its automatic expiration.I believe we just need a way to have a user with multiple passwords, exactly as we have a way to have a user with multiple SSH keys.“old” prefix looks a bit short-sighted.Also I like the approach of setting an expire date, I would also argue that we do need a way to configure the algorithm as different companies may have different security constraints.
We can see that this solution would require changes to the core Gerrit server. Therefore I wanted to start a discussion first before making any change.s I wonder if you have any thoughts on this potential solution or any suggestions for better ways we could achieve this functionality.I have the impression that it can be implemented as a plugin, which could easily become a core plugin.Alternatively, the right way to go is a design document, which could be a much longer path to follow.If a plugin is the way to go, I believe that changes to the Gerrit codebase would still be required, right?
Particularly how PasswordVerifier would be extended to handle checking for multiple passwords. Additionally, by implementing a plugin do you mean storing these "old" passwords separate from the externalIDs?
Up to you, for which way you’d like to go.Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/9784196c-525a-466f-bb64-07be8e0900acn%40googlegroups.com.
On 14 Jun 2024, at 17:09, Xiaohan Jiang Chen <xiaohan....@arm.com> wrote:Hi mantainers,
I am writing to follow up on a previous discussion regarding HTTP password tokens (reference: https://groups.google.com/g/repo-discuss/c/UVEmpQOlXJQ/m/lGSUvtKdAQAJ).
Currently generating a new HTTP password overwrites the old one. This can disrupt CI systems and other services that rely on the old password for authentication. A previous suggestion involved maintaining the old password validity for a specific timeframe (TTL) after generating a new one.
To address this issue, I propose introducing a new field named `oldPassword` within the `ExternalIDs` entity. When a new HTTP password is generated, the new password replaces the existing `password` field and the old password is moved to the newly created `oldPassword` field. During authentication, the system would then check if the provided password matches either the current `password` or the stored `oldPassword`. Additionally, the `oldPassword` would have an associated TTL stored within `ExternalIDs` to ensure its automatic expiration.I believe we just need a way to have a user with multiple passwords, exactly as we have a way to have a user with multiple SSH keys.“old” prefix looks a bit short-sighted.
On 26 Jun 2024, at 16:57, Xiaohan Jiang <xiaoh...@gmail.com> wrote:Hi maintainers,I am trying to write a plugin as suggested above and ran into an issue where I'm unable to bind my custom implementation of `PasswordVerifier` from the plugin because the binding is already set in the `ExternalIdModule`.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/635ab276-3377-4be0-9101-0cdfe9008deen%40googlegroups.com.
On 26 Jun 2024, at 16:57, Xiaohan Jiang <xiaoh...@gmail.com> wrote:Hi maintainers,I am trying to write a plugin as suggested above and ran into an issue where I'm unable to bind my custom implementation of `PasswordVerifier` from the plugin because the binding is already set in the `ExternalIdModule`.Look at how I’ve implemented the authentication on the GitHub plugin at [1].You have to implement a filter managing the basic authentication and then propagate the authenticated user back to Gerrit.