[Koha-bugs] [Bug 18315] New: authentication and authorization refactoring

Wed Mar 22 15:31:30 CET 2017

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18315

            Bug ID: 18315
           Summary: authentication and authorization refactoring
 Change sponsored?: ---
           Product: Koha
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Authentication
          Assignee: gmcharlt at gmail.com
          Reporter: oha at oha.it
        QA Contact: testopia at bugs.koha-community.org
                CC: dpavlin at rot13.org

Currently, C4::Auth is responsible to do session management, authentication and
authorization.

There is no clear separations between them, and the authentication is not
modular, making it increasingly harder to maintain and/or introduce no
authentication integrations.

I was experimenting on this for a while, and I managed to put together few
commits in a branch.

It started as a proposal, but turned out to be working in _most_ of my tests.

here more details:

I completely removed any need for CGI and CGI::Session while maintaining a
fork-exec aproach to the scripts. (This made it easier to implement
Koha::Middleware::Session, Koha::Session::DB and ::KohaCache)

Koha::Middleware::Session inject a session object in the Plack request, and
invoke Koha::Auth if any authentication tokens are available.

Koha::Auth has a list of modules which will be invoked in turn and could be
enabled/disabled

plack.psgi is changed as well, it has enabled the new Middleware and the
applications used are no longer Plack::App::CGIBin but Koha::Middleware::App.

here few of the things i want to do to simplify the interaction with the
current "legacy" code:

I didn't change the scripts or any other module at all, instead I tried to
hijack C4::Auth methods to rely on Koha::Session and Koha::Auth. This make it
simple to switch back to the previous plack.psgi OR using apache and the normal
cgi-bin.

authentication should happen upfront, before the script is even started. script
will have to verify authorization.

authentication MUST be modular, possibly having different systems cooperate.
(Some serious discussions must be around this point, especially about
accounting and authority)

what needs to be done:

permissions should be reintroduced. right now permissions are read for the user
and set in the template, but no checks are perform on requests. (should be
fairly simple to do)

reintroduce the code related to shib, cas and any other.

more testing, especially for the installer (there is lots of code regarding the
web installer which isn't there anymore)

-- 
You are receiving this mail because:
You are watching all bug changes.