action #1279: API authentication (was iChain integration) - openQA Project (public) - openSUSE Project Management Tool

Custom queries

All 'new' issues w/o assignee, sorted by version/priority
All auto_review tickets
All auto_review+force_result tickets
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE Tools team - due soon
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #1279

closed

API authentication (was iChain integration)

Added by ancorgs almost 11 years ago. Updated almost 11 years ago.

Status:

Closed

Priority:

Immediate

Assignee:

ancorgs

Category:

Target version:

Sprint 03

Start date:

2014-01-27

Due date:

% Done:

100%

Estimated time:

10.00 h

Description

openID is not enough, we need a more general, browser-independent and iChain-independent way of authentication for API calls (I'm reusing the old iChain issue, since it was being used in fact to log the activity related with this subject).

History
Notes
Property changes

Actions

Copy link

Updated by ancorgs almost 11 years ago

Priority changed from High to Immediate

Actions

Copy link

Updated by ancorgs almost 11 years ago

Target version set to Sprint 03

Actions

Copy link

Updated by ancorgs almost 11 years ago

Assignee set to ancorgs

Actions

Copy link

Updated by ancorgs almost 11 years ago

Status changed from New to In Progress

Since we need authentication for the workers even in iChain-free environments, researching about oAuth (1.0, 1.0a and 2.0) + Perl + Mojolicious.

Actions

Copy link

Updated by ancorgs almost 11 years ago

Evaluating alternatives to oAuth like api key + hmac. Looks like Mojolicious includes some low level support for generation hmac sums.

Actions

Copy link

Updated by ancorgs almost 11 years ago

I propose to use openID for user authentication through the web interface and an API Key with HMAC headers for API authorization. I spent the WHOLE MORNING writing a blog post draft explaining the 'what' and the 'why' http://etherpad.cloud.suse.de/p/fZz2qcvyvt

Actions

Copy link

Updated by ancorgs almost 11 years ago

Subject changed from iChain integration to API authentication (was iChain integration)
Description updated (diff)

Actions

Copy link

Updated by ancorgs almost 11 years ago

% Done changed from 0 to 50

New branch 'auth' created in the repository with a working (but WIP) user-based authentication and authorization system.

Tests are not adapted yet
script/client contains now an example implementation of HMAC authentication that needs to be extracted and generalized
A user with is_operator = true is needed in the web interface
An API key associated to such a user is needed if no browser (no browser==no openID).
TODO: CSRF should probably be removed from clients

If somebody with more Perl knowledge pulls and fix the clients (to read the key and secret from a config file and that kind of things), it would be highly appreciated.

Actions

Copy link

Updated by ancorgs almost 11 years ago

% Done changed from 50 to 60

CSRF is not used in combination with HMAC anymore (made no sense). Most tests fixed. Added a helper for simulating openID logins during tests (this last point took me 3 hours).

Actions

Copy link

#10