Feature #21605
Make authentication extendable
Description
Plugins can't easily extend authentications with their own means of authentication if SSL is used. The reason is that #authorize_with_ssl_client before block would always fail on SSL if no client is available. In REX there are use cases where REX core worker is authenticated differently (looking at serial number or using token). The authentication methods should not run if other authentication method already succeeded. That will also help to avoid running both trusted hosts and ssl auth methods that are built in proxy.
Related issues
Associated revisions
Refs #21605 - remove rubocop metrics
History
#1
Updated by Marek Hulán over 5 years ago
- Blocks Bug #17249: All in one setup does not work with regular SSL cert based auth added
#2
Updated by The Foreman Bot over 5 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/550 added
#3
Updated by Lukas Zapletal about 4 years ago
- Triaged changed from No to Yes
- Status changed from Ready For Testing to New
- Pull request deleted (
https://github.com/theforeman/smart-proxy/pull/550)
The proposal was not considered good enough, the authorization mechanism needs a modular and plugin-friendly approach. https://github.com/theforeman/smart-proxy/pull/550
#4
Updated by Ivan Necas about 4 years ago
- Related to Bug #25001: CVE-2018-14643 rubygem-smart_proxy_dynflow: Authentication bypass in Foreman remote execution feature added
#5
Updated by The Foreman Bot about 4 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/smart-proxy/pull/639 added
#6
Updated by Lukas Zapletal about 4 years ago
- Fixed in Releases 1.22.0 added
#7
Updated by Ivan Necas about 4 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset 56f9095e9d70b6648d45f6754ab7cf4474352c91.
#8
Updated by The Foreman Bot about 4 years ago
- Pull request https://github.com/theforeman/smart-proxy/pull/641 added
Fixes #21605 - more authorization options
Before this change, when using authorization helpers, one got all or
nothing, without any chance to use the authorization just of a subset of
the requests.
This patch introduces `Sinatra::Authorization::Helpers` that provide
`do_authorize*` methods that are not wrapped in the before block. so that
they their usage is more flexible.