Mercurial > p > roundup > code

annotate doc/security.txt @ 6814:3f60a71b0812

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Summary: Support selecion session/otk data store. Add redis as data store. Allow admin to select the backend data store. Compatibility matrix: main\/ session>| anydbm | sqlite | redis | mysql | postgresql | anydbm | D | | X | | | sqlite | X | D | X | | | mysql | | | | D | | postgresql | | | | | D | --------------------------------------------------------------+ D - default if unconfigured, X - compatible choice DETAILS roundup/configuration.py: add config.ini section sessiondb with settings: backend and redis_url. CHANGES.txt, doc/admin_guide.txt, doc/installation.txt, doc/upgrading.txt: doc on config of session db and redis. Plus some other fixes: admin - clarified why we do not drop __words and __testids table in native-fts conversion. TYpo fix. upgrading - doc how you can keep using anydbm for session data with sqlite. Fix dupe sentence in an upgrading config.ini section. roundup/backends/back_anydbm.py, roundup/backends/back_sqlite.py: code to support redis, redis/anydbm backends respectively. roundup/backends/sessions_redis.py new storage backend for redis. roundup/rest.py, roundup/cgi/actions.py, roundup/cgi/templating.py redis uses a different way of calculating lifetime/timestamp. Since expiration of an item occurred if its timestamp was more than 1 week old, code would calculate: now - 1 week + lifetime. But this results in faster expiration in redis if used for lifetime/timestamp. Convert code to use the lifetime() method in BasicDatabase that generates the right timestamp for each backend. test/session_common.py: added tests for more cases, get without default, getall non-existing key etc. timestamp test changed to use new self.get_ts which is overridden in other tests. Test that datatypes survive storage. test/test_redis_session.py: test redis session store with sqlite and anydbm primary databases test/test_anydbm.py, test/test_sqlite.py add test to make sure the databases are properly set up sqlite - add test cases where anydbm is used as datastore anydbm - remove updateTimestamp override add get_ts(). test/test_config.py tests on redis_url and compatibility on choice of sessiondb backend .travis.yml: add redis db and redis-py
author John Rouillard <rouilj@ieee.org>
date Thu, 04 Aug 2022 14:41:58 -0400
parents 8ee41c7372e7
children ffe29ee47c47
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 Security Mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
5 Current situation
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6 =================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 Current logical controls:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 ANONYMOUS_ACCESS = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11 Deny or allow anonymous access to the web interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 ANONYMOUS_REGISTER = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 Deny or allow anonymous users to register through the web interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 ANONYMOUS_REGISTER_MAIL = 'deny'
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 Deny or allow anonymous users to register through the mail interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 Current user interface authentication and controls:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
19 - command-line tool access controlled with passwords, but no logical controls
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
20 - CGI access is by username and password and has some logical controls
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
21 - mailgw access is through identification using sender email address, with
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
22 limited functionality available
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
23
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
24 The web interface implements has specific logical controls,
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
25 preventing non-admin users from accessing:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
26
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 - other user's details pages
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28 - listing the base classes (not issues or their user page)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29 - editing base classes
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31 Issues
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32 ======
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33
4732
8ee41c7372e7 doc: Fix some Sphinx warnings.
anatoly techtonik <techtonik@gmail.com>
parents: 4567
diff changeset
34 1. The current implementation is ad-hoc, and not complete for all use cases.
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35 2. Currently it is not possible to allow submission of issues through email
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
36 but restrict those users from accessing the web interface.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
37 3. Only one user may perform admin functions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38 4. There is no verification of users in the mail gateway by any means other
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39 than the From address. Support for strong identification through digital
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
40 signatures should be added.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
41 5. The command-line tool has no logical controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
42 6. The anonymous control needs revising - there should only be one way to be
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
43 an anonymous user, not two (currently there is user==None and
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
44 user=='anonymous').
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
45
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
46
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
47 Possible approaches
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
48 ===================
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50 Security controls in Roundup could be approached in three ways:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
51
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
52 1) at the hyperdb level, with read/write/modify permissions on classes, items
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53 and item properties for all or specific transitions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
54 2) at the user interface level, with access permissions on CGI interface
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55 methods, mailgw methods, roundup-admin methods, and so on.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
56 3) at a logical permission level, checked as needed.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 In all cases, the security built into roundup assumes restricted access to the
4567
32b24abfe98e Documentation polishing.
Eric S. Raymond <esr@thyrsus.com>
parents: 4557
diff changeset
59 hyperdatabase itself, through operating-system controls such as user or group
3940
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60 permissions.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
61
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63 Hyperdb-level control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
64 ---------------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
65
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 Control is implemented at the Class.get, Class.set and Class.create level. All
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67 other methods must access items through these methods. Since all accesses go
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68 through the database, we can implement deny by default.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
69
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
70 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
71
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
72 - easier to implement as it only affects one module
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73 - smaller number of permissions to worry about
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
74
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77 - harder to determine the relationship between user interaction and hyperdb
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 permission.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
79 - a lot of work to define
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
80 - must special-case to handle by-item permissions (editing user details,
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
81 having private messages)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
83
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84 User-interface control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
85 ----------------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
86
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87 The user interfaces would have an extra layer between that which
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88 parses the request to determine action and the action method. This layer
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89 controls access. Since it is possible to require methods be registered
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 with the security mechanisms to be accessed by the user, deny by default
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91 is possible.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95 - much more obvious at the user level what the controls are
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 - much more work to implement
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100 - most user interfaces have multiple uses which can't be covered by a
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101 single permission
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 Logical control
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104 ---------------
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 At each point that requires an action to be performed, the security mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
107 are asked if the current user has permission. Since code must call the
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
108 check function to raise a denial, there is no possibility to have automatic
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
109 default of deny in this situation.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
111 Pros:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
112
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
113 - quite obvious what is going on
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
114 - is very similar to the current system
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
115
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
116 Cons:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
117
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
118 - large number of possible permissions that may be defined, possibly
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
119 mirroring actual user interface controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
120 - access to the hyperdb must be strictly controlled through program code
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121 that implements the logical controls.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
123
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
124 Action
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
125 ======
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
126
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
127 The CGI interface must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
128
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129 - authenticate over a secure connection
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
130 - use unique tokens as a result of authentication, rather than pass the user's
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
131 real credentials (username/password) around for each request (this means
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
132 sessions and hence a session database)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133 - use the new logical control mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
134
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
135 - implement the permission module
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
136 - implement a Role editing interface for users
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
137 - implement htmltemplate tests on permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
138 - switch all code over from using config vars for permission checks to using
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
139 permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
140 - change all explicit admin user checks for Role checks
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
141 - include config vars for initial Roles for anonymous web, new web and new
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
142 email users
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
143
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
144 The mail gateway must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
145
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
146 - use digital signatures
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
147 - use the new logical control mechanisms
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
148
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
149 - switch all code over from using config vars for permission checks to using
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
150 permissions
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
151
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
152 The command-line tool must be changed to:
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
153
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
154 - use the new logical control mechanisms (only allowing write
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
155 access by admin users, and read-only by everyone else)
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
156
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
157
Roundup Issue Tracker: http://roundup-tracker.org/