whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From curc...@apache.org
Subject [whimsy] branch master updated: Better explain how to do complex auth
Date Mon, 05 Jun 2017 14:42:29 GMT
This is an automated email from the ASF dual-hosted git repository.

curcuru pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new ba212f1  Better explain how to do complex auth
ba212f1 is described below

commit ba212f133ade5ab868683323fff4988a3e221e44
Author: Shane Curcuru <asf@shanecurcuru.org>
AuthorDate: Mon Jun 5 10:42:23 2017 -0400

    Better explain how to do complex auth
---
 DEVELOPMENT.md | 34 +++++++++++++++++++++++++++++++++-
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index f1660c8..1c8bc27 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -181,7 +181,8 @@ If there is a `Gemfile` in the directory containing the script or application
 you wish to run, dependencies needed for execution can be installed using the
 command `bundle install`.  Similarly, if starting from scratch you 
 may need `gem install rake`.  Periodically if underlying gems like 
-wunderbar are updated, you may need `bundle update`.
+wunderbar are updated, you may need `bundle update`.  
+See also [How To: Keep Your Local Environment Updated](#how-to-keep-your-local-environment-updated)
 
 1. CGI applications can be run from a command line, and produce output to
    standard out.  If you would prefer to see the output in a browser, you
@@ -278,6 +279,37 @@ Note also that sometimes you may need to `bundle exec *command*` instead
 of just doing `bundle *command*`, since using the exec uses a subtly 
 different set of gem versions from the local directory.
 
+### How To: Authenticate/Authorize Your Scripts
+
+User authentication for any CGI script is provided by the http server's 
+LDAP module, and can be done by by adding the path to the CGI in the 
+deployment descriptor for the server under the appropriate `authldap` realm:
+
+https://github.com/apache/infrastructure-puppet/blob/deployment/data/nodes/whimsy-vm4.apache.org.yaml#L127
+
+Note that the LDAP module does not currently handle boolean conditions
+(example: members **or** officers).  The way to handle this is to do
+authentication in two passes.  The first pass will be done by the Apache
+http server, and verify that the user is a part of the most inclusive group
+(typically: committers).  That is done as above in `authldap`.
+
+The CGI scripts that need to do more specific authorization will need to
+check `ASF::Auth` in their code, and output a "Status: 401 Unauthorized" 
+line if access to the tool is **not** permitted for the user.
+
+```ruby
+require 'whimsy/asf/rack' # Ensures server auth is passed thru
+require 'whimsy/asf' # Provides ASF::Auth class
+
+user = ASF::Auth.decode(env = {})
+unless user.asf_member? or ASF.pmc_chairs.include? user
+  print "Status: 401 Unauthorized\r\n"
+  print "WWW-Authenticate: Basic realm=\"ASF Members and Officers\"\r\n\r\n"
+  exit
+end
+```
+
+
 Whimsy On Windows
 =================
 

-- 
To stop receiving notification emails like this one, please contact
['"commits@whimsical.apache.org" <commits@whimsical.apache.org>'].

Mime
View raw message