Modify

Opened 6 years ago

Closed 5 years ago

Last modified 5 years ago

#3707 closed defect (fixed)

Ability to provide whitelist of OpenIDs

Reported by: ross.fenning@… Owned by: dalius
Priority: low Component: AuthOpenIdPlugin
Severity: normal Keywords: user, users, whitelist, security
Cc: Trac Release: 0.11

Description

When using HTTP authentication, it was perfectly possible to manage the htpasswd file in Apache as I wished and only allow logins to specific people. I've not enabled OpenID and disabled the original login mechanism and, as far as I can see, this has now opened up my Trac to anyone with an OpenID.

Is there a way to allow only a given list of OpenIDs? I've looked around for a good hour and couldn't quite find it if it can be done. If it cannot be done, I'd like to request this as a feature.

Attachments (0)

Change History (10)

comment:1 Changed 6 years ago by dalius

At the moment it can't be done. I can't promise to implement that soon because I have more important things to do. Feel free to implement that yourself - that's what open source is about after all.

comment:2 Changed 6 years ago by ross.fenning@…

  • Priority changed from normal to low

Absolutely :-)

Any hints on parts of the code relevant before I dive in? I am thankfully fairly proficient in Python.

comment:3 Changed 6 years ago by dalius

That shouldn't be very hard if whitelist is very short:

  1. Look how to use Options. I guess you could create Option white_list with comma separated list of openids. More advanced option could use wildcards or regexps.
  1. Check file authopenid.py (http://hg.sandbox.lt/authopenid-plugin/file/0570350f5955/authopenid/authopenid.py). The actual log in happends in function _do_process in if case "info.status == consumer.SUCCESS:".

HTH :)

comment:4 Changed 6 years ago by michela

A whitelist feature would be great. I'd like to restrict authentications to a managed list but allow my private community to use OpenID as a single sign-on system.

Is there any scope for a more scalable approach where you could query a REST api for whitelist and/or blacklist?

.M.

michela around modfilms.com

comment:5 Changed 6 years ago by dalius

  • Resolution set to fixed
  • Status changed from new to closed

white_list and black_list options added to openid section. Please look at example how to use these: http://trac-hacks.org/wiki/AuthOpenIdPlugin

I will contact michela for his/her specific case. Since I'm not aware about any standard defining [OpenId] whitelisting/blacklisting. New ticket will be created for that specific case.

comment:6 Changed 5 years ago by michela

  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Type changed from enhancement to defect

Hi dalius, thanks for implementing the whitelist feature I suggested. Any thoughts on below?

The functionality as described in config is what I was after but I'm getting an error with this traceback

Traceback (most recent call last):

  File "/usr/lib/python2.4/site-packages/Trac-0.11.1-py2.4.egg/trac/web/main.py", line 423, in _dispatch_request

    dispatcher.dispatch(req)

  File "/usr/lib/python2.4/site-packages/Trac-0.11.1-py2.4.egg/trac/web/main.py", line 197, in dispatch

    resp = chosen_handler.process_request(req)

  File "build/bdist.linux-i686/egg/authopenid/authopenid.py", line 221, in process_request

  File "build/bdist.linux-i686/egg/authopenid/authopenid.py", line 432, in _do_process

  File "build/bdist.linux-i686/egg/simplejson/__init__.py", line 275, in load

  File "build/bdist.linux-i686/egg/simplejson/__init__.py", line 315, in loads

  File "build/bdist.linux-i686/egg/simplejson/decoder.py", line 315, in decode

  File "build/bdist.linux-i686/egg/simplejson/decoder.py", line 333, in raw_decode

ValueError: No JSON object could be decoded


I've set up a test whitelist service as above and tested against JSONLint so I think my output is valid - http://www.jsonlint.com/

TRUE http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=michela.myopenid.com

FALSE http://chief/openidallow/check_list?check_list_key=notwhitelisted.myopenid.com

If you want to use my service for your testing, just email me your openid and I'll whitelist it

Cheers

.M.

comment:7 Changed 5 years ago by michela

my trac.ini config for reference

[openid]absolute_trust_root = falsesignup = https://www.myopenid.com/signup?affiliate_id=18260&openid.sreg.optional=email,nickname
sreg_required = false
strip_protocol = false
strip_trailing_slash = false
timeout = false
whatis = http://openid.net/what/
# In addition to white and black lists you can use external service
# for allowing users into trac. To control that you must use check_list
# and check_list_key option. It will generate URL:
# check_list?check_list_key=openid
# It expects JSON result in following format:
# {"check_list_key": true}
# IMPORTANT: this functionality uses simplejson which might not be available on your system by default. Install it if you want to use this functionality.
# IMPORTANT: strip_protocol and strip_trailing_slash affects what openid will be send to service
check_list = http://trac.modfilms.com:7861/openidallow
check_list_key = check_list

comment:8 follow-up: Changed 5 years ago by dalius

  • Resolution set to fixed
  • Status changed from reopened to closed

That's configuration issue. Should be:

check_list=http://trac.modfilms.com:7861/openidallow/check_list
check_list_key=check_list_key

You can see debug messages before this error as well:
1:57:29 PM Trac[authopenid] DEBUG: OpenID check list URL: http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=blog.sandbox.lt

In your case you should see incorrect URL string.

comment:9 in reply to: ↑ 8 Changed 5 years ago by michela

Replying to dalius:

That's configuration issue. Should be:

check_list=http://trac.modfilms.com:7861/openidallow/check_list
check_list_key=check_list_key

You can see debug messages before this error as well:
1:57:29 PM Trac[authopenid] DEBUG: OpenID check list URL: http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=blog.sandbox.lt

In your case you should see incorrect URL string.

Thanks dalius. That's great.

The whitelist needs to support a few variations of the url (optional protocol and/or trailing slash)

comment:10 Changed 5 years ago by dalius

Michela, I don't really understand. If you are speaking about strip_protocol and strip_trailing_slash options I think that should be handled by whitelist service side because otherwise we would need to make several requests from plugin side.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from dalius. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.