Mercurial > p > roundup > code

annotate doc/security.txt @ 774:811475894dd9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
More thoughts
author Richard Jones <richard@users.sourceforge.net>
date Mon, 17 Jun 2002 23:15:05 +0000
parents d341cd0e7689
children 2a0886bacdcc
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
1 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
2 Security Mechanisms
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
3 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
4
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
5 :Version: $Revision: 1.3 $
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
6
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
7 Current situation
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
8 =================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
9
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
10 Current logical controls:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
11
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
12 ANONYMOUS_ACCESS = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
13 Deny or allow anonymous access to the web interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
14 ANONYMOUS_REGISTER = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
15 Deny or allow anonymous users to register through the web interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
16 ANONYMOUS_REGISTER_MAIL = 'deny'
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
17 Deny or allow anonymous users to register through the mail interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
18
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
19 Current user interface authentication and controls:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
20
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
21 - command-line tool access controlled with passwords, but no logical controls
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
22 - CGI access is by username and password and has some logical controls
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
23 - mailgw access is through identification using sender email address, with
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
24 limited functionality available
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
25
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
26 The web interface implements has specific logical controls,
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
27 preventing non-admin users from accessing:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
28
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
29 - other user's details pages
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
30 - listing the base classes (not issues or their user page)
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
31 - editing base classes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
32
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
33 Issues
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
34 ======
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
35
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
36 1. The current implementation is ad-hoc, and not complete for all `use cases`_.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
37 2. Currently it is not possible to allow submission of issues through email
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
38 but restrict those users from accessing the web interface.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
39 3. Only one user may perform admin functions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
40 4. There is no verification of users in the mail gateway by any means other
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
41 than the From address. Support for strong identification through digital
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
42 signatures should be added.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
43 5. The command-line tool has no logical controls.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
44
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
45
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
46 Possible approaches
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
47 ===================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
48
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
49 Security controls in Roundup could be approached in three ways:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
50
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
51 1) at the hyperdb level, with read/write/modify permissions on classes, nodes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
52 and node properties for all or specific transitions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
53 2) at the user interface level, with access permissions on CGI interface
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
54 methods, mailgw methods, roundup-admin methods, and so on.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
55 3) at a logical permission level, checked as needed.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
56
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
57 In all cases, the security built into roundup assumes restricted access to the
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
58 hyperdatabase itself, through Operating System controls such as user or group
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
59 permissions.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
60
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
61
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
62 Hyperdb-level control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
63 ---------------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
64
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
65 Control is implemented at the Class.get, Class.set and Class.create level. All
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
66 other methods must access nodes through these methods. Since all accesses go
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
67 through the database, we can implement deny by default.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
68
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
69 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
70
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
71 - easier to implement as it only affects one module
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
72 - smaller number of permissions to worry about
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
73
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
74 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
75
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
76 - harder to determine the relationship between user interaction and hyperdb
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
77 permission.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
78 - a lot of work to define
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
79 - must special-case to handle by-node permissions (editing user details,
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
80 having private messages)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
81
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
82
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
83 User-interface control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
84 ----------------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
85
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
86 The user interfaces would have an extra layer between that which
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
87 parses the request to determine action and the action method. This layer
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
88 controls access. Since it is possible to require methods be registered
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
89 with the security mechanisms to be accessed by the user, deny by default
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
90 is possible.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
91
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
92 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
93
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
94 - much more obvious at the user level what the controls are
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
95
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
96 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
97
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
98 - much more work to implement
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
99 - most user interfaces have multiple uses which can't be covered by a
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
100 single permission
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
101
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
102
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
103 Logical control
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
104 ---------------
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
105
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
106 At each point that requires an action to be performed, the security mechanisms
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
107 are asked if the current user has permission. Since code must call the
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
108 check function to raise a denial, there is no possibility to have automatic
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
109 default of deny in this situation.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
110
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
111 In practice, this is implemented as:
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
112
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
113 1. there's a mapping of user -> role (in hyperdb)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
114 2. there's a mapping of role -> permission (in code)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
115 3. there's a function that's available to all roundup code that can ask
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
116 whether a particular user has a particular permission.
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
117
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
118 Pros:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
119
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
120 - quite obvious what is going on
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
121 - is the current system
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
122
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
123 Cons:
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
124
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
125 - large number of possible permissions that may be defined, possibly
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
126 mirroring actual user interface controls.
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
127 - access to the hyperdb must be strictly controlled through program code
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
128 that implements the logical controls.
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
129
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
130
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
131 Applying controls to users
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
132 ==========================
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
133
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
134 Individual assignment of Permission to User is unwieldy. The concept of a
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
135 Role, which encompasses several Permissions and may be assigned to many Users,
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
136 is quite well developed in many projects. Roundup will take this path, and
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
137 allow the multiple assignment of Roles to Users, and multiple Permissions to
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
138 Roles. These definitions will be stored in the hyperdb.
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
139
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
140
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
141 A permission module defines::
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
142
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
143 class InMemoryImmutableClass(hyperdb.Class):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
144 ''' Don't allow changes to this class's nodes.
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
145 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
146 def __init__(self, db, classname, **properties):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
147 ''' Set up an in-memory store for the nodes of this class
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
148 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
149
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
150 def create(self, **propvalues):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
151 ''' Create a new node in the in-memory store
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
152 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
153
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
154 def get(self, nodeid, propname, default=_marker, cache=1):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
155 ''' Get the node from the in-memory store
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
156 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
157
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
158 def set(self, *args):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
159 raise ValueError, "%s are immutable"%self.__class__.__name__
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
160
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
161 class PermissionClass(InMemoryImmutableClass):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
162 ''' Include the default attributes:
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
163 - name (String, key)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
164 - description (String)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
165 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
166
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
167 class RoleClass(InMemoryImmutableClass):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
168 ''' Include the default attributes:
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
169 - name (String, key)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
170 - description (String)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
171 - permissions (PermissionClass Multilink)
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
172 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
173
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
174 def hasPermission(db, userid, permission):
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
175 ''' Look through all the Roles, and hence Permissions, and see if
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
176 "permission" is there
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
177 '''
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
178
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
179
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
180 The instance dbinit module then has::
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
181
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
182 in open():
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
183
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
184 perm = permission.PermissionClass(db, "permission")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
185 role = permission.RoleClass(db, "role")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
186
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
187 wa = perm.create(name="Web Access",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
188 description="User may log in through the web")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
189 wr = perm.create(name="Web Registration",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
190 description="User may register through the web")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
191 ma = perm.create(name="Mail Access",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
192 description="User may log in through email")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
193 mr = perm.create(name="Mail Registration",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
194 description="User may register through email")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
195 aa = perm.create(name="Access Everything",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
196 description="User may access everthing")
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
197 role.create(name="User", description="A regular user, no privs",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
198 permissions=[wa, wr, ma, mr])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
199 role.create(name="Admin", description="An admin user, full privs",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
200 permissions=[aa])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
201 ro = role.create(name="No Rego", description="A user who can't register",
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
202 permissions=[wa, ma])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
203
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
204 in init():
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
205
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
206 r = db.getclass('role').find('Admin')
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
207 user.create(username="admin", password=Password(adminpw),
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
208 address=instance_config.ADMIN_EMAIL, roles=[r])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
209
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
210 # choose your anonymous user access permission here
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
211 #r = db.getclass('role').find('No Rego')
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
212 r = db.getclass('role').find('User')
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
213 user.create(username="anonymous", roles=[r])
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
214
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
215
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
216 Authentication of Users
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
217 -----------------------
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
218
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
219 Users must be authenticated correctly for the above controls to work. This is
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
220 not done in the current mail gateway at all. Use of digital signing of
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
221 messages could alleviate this problem.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
222
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
223 The exact mechanism of registering the digital signature should be flexible,
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
224 with perhaps a level of trust. Users who supply their signature through their
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
225 first message into the tracker should be at a lower level of trust to those
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
226 who supply their signature to an admin for submission to their user details.
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
227
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
228
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
229 Action
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
230 ======
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
231
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
232 The CGI interface must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
233
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
234 - authenticate over a secure connection
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
235 - use unique tokens as a result of authentication, rather than pass the user's
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
236 real credentials (username/password) around for each request (this means
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
237 sessions :)
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
238 - use the new logical control mechanisms
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
239
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
240 The mail gateway must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
241
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
242 - use digital signatures
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
243 - use the new logical control mechanisms
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
244
774
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
245 The command-line tool must be changed to:
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
246
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
247 - use the new logical control mechanisms (only allowing write
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
248 access by admin users, and read-only by everyone else)
811475894dd9 More thoughts
Richard Jones <richard@users.sourceforge.net>
parents: 728
diff changeset
249
728
d341cd0e7689 Latest thoughts.
Richard Jones <richard@users.sourceforge.net>
parents: 725
diff changeset
250
725
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
251 Use cases
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
252 =========
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
253
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
254 public
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
255 end users that can submit bugs, request new features, request support
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
256 developer
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
257 developers that can fix bugs, implement new features provide support
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
258 manager
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
259 approvers/managers that can approve new features and signoff bug fixes
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
260 admin
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
261 administrators that can add users and set user's roles
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
262 system
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
263 automated request handlers running various report/escalation scripts
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
264 privacy
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
265 issues that are only visible to some users
2a563dbacd65 Initial doc holding collated thoughts on roundup security.
Richard Jones <richard@users.sourceforge.net>
parents:
diff changeset
266
Roundup Issue Tracker: http://roundup-tracker.org/