Modify

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#3707 closed defect (fixed)

Ability to provide whitelist of OpenIDs

Reported by: ross.fenning@… Owned by: dalius
Priority: low Component: AuthOpenIdPlugin
Severity: normal Keywords: user, users, whitelist, security
Cc: Trac Release: 0.11

Description

When using HTTP authentication, it was perfectly possible to manage the htpasswd file in Apache as I wished and only allow logins to specific people. I've not enabled OpenID and disabled the original login mechanism and, as far as I can see, this has now opened up my Trac to anyone with an OpenID.

Is there a way to allow only a given list of OpenIDs? I've looked around for a good hour and couldn't quite find it if it can be done. If it cannot be done, I'd like to request this as a feature.

Attachments (0)

Change History (10)

comment:1 Changed 6 years ago by dalius

At the moment it can't be done. I can't promise to implement that soon because I have more important things to do. Feel free to implement that yourself - that's what open source is about after all.

comment:2 Changed 6 years ago by ross.fenning@…

  • Priority changed from normal to low

Absolutely :-)

Any hints on parts of the code relevant before I dive in? I am thankfully fairly proficient in Python.

comment:3 Changed 6 years ago by dalius

That shouldn't be very hard if whitelist is very short:

  1. Look how to use Options. I guess you could create Option white_list with comma separated list of openids. More advanced option could use wildcards or regexps.
  1. Check file authopenid.py (http://hg.sandbox.lt/authopenid-plugin/file/0570350f5955/authopenid/authopenid.py). The actual log in happends in function _do_process in if case "info.status == consumer.SUCCESS:".

HTH :)

comment:4 Changed 6 years ago by michela

A whitelist feature would be great. I'd like to restrict authentications to a managed list but allow my private community to use OpenID as a single sign-on system.

Is there any scope for a more scalable approach where you could query a REST api for whitelist and/or blacklist?

.M.

michela around modfilms.com

comment:5 Changed 6 years ago by dalius

  • Resolution set to fixed
  • Status changed from new to closed

white_list and black_list options added to openid section. Please look at example how to use these: http://trac-hacks.org/wiki/AuthOpenIdPlugin

I will contact michela for his/her specific case. Since I'm not aware about any standard defining [OpenId] whitelisting/blacklisting. New ticket will be created for that specific case.

comment:6 Changed 6 years ago by michela

  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Type changed from enhancement to defect

Hi dalius, thanks for implementing the whitelist feature I suggested. Any thoughts on below?

The functionality as described in config is what I was after but I'm getting an error with this traceback

Traceback (most recent call last):

  File "/usr/lib/python2.4/site-packages/Trac-0.11.1-py2.4.egg/trac/web/main.py", line 423, in _dispatch_request

    dispatcher.dispatch(req)

  File "/usr/lib/python2.4/site-packages/Trac-0.11.1-py2.4.egg/trac/web/main.py", line 197, in dispatch

    resp = chosen_handler.process_request(req)

  File "build/bdist.linux-i686/egg/authopenid/authopenid.py", line 221, in process_request

  File "build/bdist.linux-i686/egg/authopenid/authopenid.py", line 432, in _do_process

  File "build/bdist.linux-i686/egg/simplejson/__init__.py", line 275, in load

  File "build/bdist.linux-i686/egg/simplejson/__init__.py", line 315, in loads

  File "build/bdist.linux-i686/egg/simplejson/decoder.py", line 315, in decode

  File "build/bdist.linux-i686/egg/simplejson/decoder.py", line 333, in raw_decode

ValueError: No JSON object could be decoded


I've set up a test whitelist service as above and tested against JSONLint so I think my output is valid - http://www.jsonlint.com/

TRUE http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=michela.myopenid.com

FALSE http://chief/openidallow/check_list?check_list_key=notwhitelisted.myopenid.com

If you want to use my service for your testing, just email me your openid and I'll whitelist it

Cheers

.M.

comment:7 Changed 6 years ago by michela

my trac.ini config for reference

[openid]absolute_trust_root = falsesignup = https://www.myopenid.com/signup?affiliate_id=18260&openid.sreg.optional=email,nickname
sreg_required = false
strip_protocol = false
strip_trailing_slash = false
timeout = false
whatis = http://openid.net/what/
# In addition to white and black lists you can use external service
# for allowing users into trac. To control that you must use check_list
# and check_list_key option. It will generate URL:
# check_list?check_list_key=openid
# It expects JSON result in following format:
# {"check_list_key": true}
# IMPORTANT: this functionality uses simplejson which might not be available on your system by default. Install it if you want to use this functionality.
# IMPORTANT: strip_protocol and strip_trailing_slash affects what openid will be send to service
check_list = http://trac.modfilms.com:7861/openidallow
check_list_key = check_list

comment:8 follow-up: Changed 6 years ago by dalius

  • Resolution set to fixed
  • Status changed from reopened to closed

That's configuration issue. Should be:

check_list=http://trac.modfilms.com:7861/openidallow/check_list
check_list_key=check_list_key

You can see debug messages before this error as well:
1:57:29 PM Trac[authopenid] DEBUG: OpenID check list URL: http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=blog.sandbox.lt

In your case you should see incorrect URL string.

comment:9 in reply to: ↑ 8 Changed 6 years ago by michela

Replying to dalius:

That's configuration issue. Should be:

check_list=http://trac.modfilms.com:7861/openidallow/check_list
check_list_key=check_list_key

You can see debug messages before this error as well:
1:57:29 PM Trac[authopenid] DEBUG: OpenID check list URL: http://trac.modfilms.com:7861/openidallow/check_list?check_list_key=blog.sandbox.lt

In your case you should see incorrect URL string.

Thanks dalius. That's great.

The whitelist needs to support a few variations of the url (optional protocol and/or trailing slash)

comment:10 Changed 6 years ago by dalius

Michela, I don't really understand. If you are speaking about strip_protocol and strip_trailing_slash options I think that should be handled by whitelist service side because otherwise we would need to make several requests from plugin side.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.