Mercurial > p > roundup > code


  
3940


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     1 ===================


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     2 Security Mechanisms


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     3 ===================


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     4 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     5 Current situation


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     6 =================


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     7 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     8 Current logical controls:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


     9 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    10 ANONYMOUS_ACCESS = 'deny'


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    11  Deny or allow anonymous access to the web interface


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    12 ANONYMOUS_REGISTER = 'deny'


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    13  Deny or allow anonymous users to register through the web interface


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    14 ANONYMOUS_REGISTER_MAIL = 'deny'


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    15  Deny or allow anonymous users to register through the mail interface


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    16 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    17 Current user interface authentication and controls:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    18 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    19 - command-line tool access controlled with passwords, but no logical controls


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    20 - CGI access is by username and password and has some logical controls


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    21 - mailgw access is through identification using sender email address, with


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    22   limited functionality available


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    23 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    24 The web interface implements has specific logical controls,


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    25 preventing non-admin users from accessing:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    26 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    27  - other user's details pages


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    28  - listing the base classes (not issues or their user page)


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    29  - editing base classes


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    30 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    31 Issues


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    32 ======


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    33 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    34 1. The current implementation is ad-hoc, and not complete for all `use cases`_.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    35 2. Currently it is not possible to allow submission of issues through email


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    36    but restrict those users from accessing the web interface.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    37 3. Only one user may perform admin functions.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    38 4. There is no verification of users in the mail gateway by any means other


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    39    than the From address. Support for strong identification through digital


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    40    signatures should be added.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    41 5. The command-line tool has no logical controls.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    42 6. The anonymous control needs revising - there should only be one way to be


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    43    an anonymous user, not two (currently there is user==None and


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    44    user=='anonymous').


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    45 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    46 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    47 Possible approaches


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    48 ===================


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    49 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    50 Security controls in Roundup could be approached in three ways:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    51 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    52 1) at the hyperdb level, with read/write/modify permissions on classes, items


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    53    and item properties for all or specific transitions.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    54 2) at the user interface level, with access permissions on CGI interface


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    55    methods, mailgw methods, roundup-admin methods, and so on.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    56 3) at a logical permission level, checked as needed.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    57 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    58 In all cases, the security built into roundup assumes restricted access to the


4567


32b24abfe98e
Documentation polishing.

Eric S. Raymond <esr@thyrsus.com>
parents: 
4557
diff
changeset


    59 hyperdatabase itself, through operating-system controls such as user or group


3940


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    60 permissions.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    61 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    62 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    63 Hyperdb-level control


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    64 ---------------------


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    65 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    66 Control is implemented at the Class.get, Class.set and Class.create level. All


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    67 other methods must access items through these methods. Since all accesses go


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    68 through the database, we can implement deny by default.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    69 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    70 Pros:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    71 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    72    - easier to implement as it only affects one module


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    73    - smaller number of permissions to worry about


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    74 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    75 Cons:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    76 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    77    - harder to determine the relationship between user interaction and hyperdb


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    78      permission.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    79    - a lot of work to define


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    80    - must special-case to handle by-item permissions (editing user details,


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    81      having private messages)


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    82 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    83 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    84 User-interface control


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    85 ----------------------


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    86 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    87 The user interfaces would have an extra layer between that which


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    88 parses the request to determine action and the action method. This layer


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    89 controls access. Since it is possible to require methods be registered


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    90 with the security mechanisms to be accessed by the user, deny by default


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    91 is possible.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    92 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    93 Pros:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    94 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    95    - much more obvious at the user level what the controls are


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    96 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    97 Cons:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    98 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


    99    - much more work to implement


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   100    - most user interfaces have multiple uses which can't be covered by a


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   101      single permission


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   102 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   103 Logical control


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   104 ---------------


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   105 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   106 At each point that requires an action to be performed, the security mechanisms


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   107 are asked if the current user has permission. Since code must call the


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   108 check function to raise a denial, there is no possibility to have automatic


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   109 default of deny in this situation.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   110 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   111 Pros:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   112 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   113    - quite obvious what is going on


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   114    - is very similar to the current system


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   115 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   116 Cons:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   117 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   118    - large number of possible permissions that may be defined, possibly


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   119      mirroring actual user interface controls.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   120    - access to the hyperdb must be strictly controlled through program code


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   121      that implements the logical controls.


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   122 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   123 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   124 Action


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   125 ======


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   126 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   127 The CGI interface must be changed to:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   128 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   129 - authenticate over a secure connection


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   130 - use unique tokens as a result of authentication, rather than pass the user's


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   131   real credentials (username/password) around for each request (this means


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   132   sessions and hence a session database)


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   133 - use the new logical control mechanisms


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   134 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   135   - implement the permission module


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   136   - implement a Role editing interface for users


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   137   - implement htmltemplate tests on permissions


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   138   - switch all code over from using config vars for permission checks to using


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   139     permissions


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   140   - change all explicit admin user checks for Role checks


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   141   - include config vars for initial Roles for anonymous web, new web and new


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   142     email users


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   143 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   144 The mail gateway must be changed to:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   145 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   146 - use digital signatures


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   147 - use the new logical control mechanisms


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   148 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   149   - switch all code over from using config vars for permission checks to using


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   150     permissions


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   151 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   152 The command-line tool must be changed to:


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   153 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   154 - use the new logical control mechanisms (only allowing write


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   155   access by admin users, and read-only by everyone else)


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   156 


251382399e45
update

Richard Jones <richard@users.sourceforge.net>
parents: 
diff
changeset


   157
author	rouilj
date	Sun, 25 Nov 2012 18:24:28 -0500
parents	32b24abfe98e
children	8ee41c7372e7
rev	line source
3940 251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	1 ===================
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	2 Security Mechanisms
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	3 ===================
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	4
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	5 Current situation
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	6 =================
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	7
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	8 Current logical controls:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	9
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	10 ANONYMOUS_ACCESS = 'deny'
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	11 Deny or allow anonymous access to the web interface
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	12 ANONYMOUS_REGISTER = 'deny'
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	13 Deny or allow anonymous users to register through the web interface
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	14 ANONYMOUS_REGISTER_MAIL = 'deny'
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	15 Deny or allow anonymous users to register through the mail interface
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	16
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	17 Current user interface authentication and controls:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	18
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	19 - command-line tool access controlled with passwords, but no logical controls
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	20 - CGI access is by username and password and has some logical controls
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	21 - mailgw access is through identification using sender email address, with
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	22 limited functionality available
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	23
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	24 The web interface implements has specific logical controls,
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	25 preventing non-admin users from accessing:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	26
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	27 - other user's details pages
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	28 - listing the base classes (not issues or their user page)
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	29 - editing base classes
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	30
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	31 Issues
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	32 ======
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	33
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	34 1. The current implementation is ad-hoc, and not complete for all `use cases`_.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	35 2. Currently it is not possible to allow submission of issues through email
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	36 but restrict those users from accessing the web interface.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	37 3. Only one user may perform admin functions.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	38 4. There is no verification of users in the mail gateway by any means other
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	39 than the From address. Support for strong identification through digital
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	40 signatures should be added.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	41 5. The command-line tool has no logical controls.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	42 6. The anonymous control needs revising - there should only be one way to be
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	43 an anonymous user, not two (currently there is user==None and
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	44 user=='anonymous').
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	45
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	46
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	47 Possible approaches
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	48 ===================
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	49
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	50 Security controls in Roundup could be approached in three ways:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	51
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	52 1) at the hyperdb level, with read/write/modify permissions on classes, items
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	53 and item properties for all or specific transitions.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	54 2) at the user interface level, with access permissions on CGI interface
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	55 methods, mailgw methods, roundup-admin methods, and so on.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	56 3) at a logical permission level, checked as needed.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	57
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	58 In all cases, the security built into roundup assumes restricted access to the
4567 32b24abfe98e Documentation polishing. Eric S. Raymond <esr@thyrsus.com> parents: 4557 diff changeset	59 hyperdatabase itself, through operating-system controls such as user or group
3940 251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	60 permissions.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	61
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	62
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	63 Hyperdb-level control
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	64 ---------------------
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	65
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	66 Control is implemented at the Class.get, Class.set and Class.create level. All
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	67 other methods must access items through these methods. Since all accesses go
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	68 through the database, we can implement deny by default.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	69
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	70 Pros:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	71
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	72 - easier to implement as it only affects one module
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	73 - smaller number of permissions to worry about
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	74
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	75 Cons:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	76
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	77 - harder to determine the relationship between user interaction and hyperdb
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	78 permission.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	79 - a lot of work to define
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	80 - must special-case to handle by-item permissions (editing user details,
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	81 having private messages)
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	82
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	83
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	84 User-interface control
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	85 ----------------------
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	86
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	87 The user interfaces would have an extra layer between that which
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	88 parses the request to determine action and the action method. This layer
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	89 controls access. Since it is possible to require methods be registered
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	90 with the security mechanisms to be accessed by the user, deny by default
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	91 is possible.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	92
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	93 Pros:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	94
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	95 - much more obvious at the user level what the controls are
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	96
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	97 Cons:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	98
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	99 - much more work to implement
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	100 - most user interfaces have multiple uses which can't be covered by a
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	101 single permission
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	102
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	103 Logical control
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	104 ---------------
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	105
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	106 At each point that requires an action to be performed, the security mechanisms
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	107 are asked if the current user has permission. Since code must call the
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	108 check function to raise a denial, there is no possibility to have automatic
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	109 default of deny in this situation.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	110
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	111 Pros:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	112
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	113 - quite obvious what is going on
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	114 - is very similar to the current system
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	115
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	116 Cons:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	117
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	118 - large number of possible permissions that may be defined, possibly
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	119 mirroring actual user interface controls.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	120 - access to the hyperdb must be strictly controlled through program code
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	121 that implements the logical controls.
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	122
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	123
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	124 Action
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	125 ======
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	126
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	127 The CGI interface must be changed to:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	128
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	129 - authenticate over a secure connection
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	130 - use unique tokens as a result of authentication, rather than pass the user's
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	131 real credentials (username/password) around for each request (this means
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	132 sessions and hence a session database)
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	133 - use the new logical control mechanisms
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	134
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	135 - implement the permission module
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	136 - implement a Role editing interface for users
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	137 - implement htmltemplate tests on permissions
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	138 - switch all code over from using config vars for permission checks to using
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	139 permissions
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	140 - change all explicit admin user checks for Role checks
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	141 - include config vars for initial Roles for anonymous web, new web and new
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	142 email users
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	143
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	144 The mail gateway must be changed to:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	145
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	146 - use digital signatures
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	147 - use the new logical control mechanisms
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	148
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	149 - switch all code over from using config vars for permission checks to using
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	150 permissions
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	151
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	152 The command-line tool must be changed to:
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	153
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	154 - use the new logical control mechanisms (only allowing write
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	155 access by admin users, and read-only by everyone else)
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	156
251382399e45 update Richard Jones <richard@users.sourceforge.net> parents: diff changeset	157