Fixed some bugs and added additional config options

[nougad]

Hi,

I fixed some bugs in masquerade:

• 4df00a733c2c33ba1781edcf40ad395b1364060c
• 0ceda867685f588a3f6e528f897ecc3fb495d28c
• 0927ef8fe6559c9ec02c453f1764bbd0faeb9a6c
• 1741417641342e1c9a79112219c627152e9c6f6c
• 9e7282ba6f62c717f612aabbe8f4f64686146ee0
• 3f9a3c9b0381acb0b97d10a1c8360f82747a09fc
• a69a185cc16d3f02e4dc6742792941f37aac981d

Additionally I want no auth in masquerade. My apache2 server implements a single sign login for all sites so I made some commits to support this:

• 9cc8f52646e63fd30c3283c6dedd23ed69451c8d - no activation mail
• eb6ef1b200235bdfacd36c76f6351088c81e2238 - Don't set account_id cookie if basic_auth is used
• 760f941a84e9d37203cca629b412ca7241c0088b - Added option to disable registration
• 1428cdd8bdbb1b9a06e7e8ccc99dfafc8f1fd19b - Added option to forbid a user to disable the account
• 89ddbb5603e843bd2cfb349c2b237f7c77b2b4e9 - Added option to forbid user to change the password
• 9299afaa64680aa230f82cd63755bf5bd9f8adb2 - Add config option to disable yubikey

Important is the commit to trust the basic auth and don't check the password in masquerade database. Also a account can be created on demand if create_auth_ondemand is set.

• 9ed4c09331c721f3731365882fe265610eb8bf1d

Finally I hide the logout link if user is logged in via auth_basic:

• 75779ce7141ebcdecd9a9b9f0ddaf04836b59702

One last problem exists: I don't know how to enable read access to account page (and xrds). Currently I forbid all access and whitelist the required links:

< Location "/" >
  AuthName "login"
  AuthType Basic
  require group openid
  ...
< /Location >

< LocationMatch "^/(consumer|server|stylesheets|images|javascripts|help|logout|404.html|422.html|500.html|favicon.ico|robots.txt|safe-login)" >
  Order Allow,Deny
  Allow from all
  Satisfy Any
< /LocationMatch >

< LocationMatch "^/$" >
  Order Allow,Deny
  Allow from all
  Satisfy Any
< /LocationMatch >

But I need to enable /username(.xrds) as well for GET requests. But I don't want to write all usernames down. Do you have any ideas? My suggestion is to move /username(.xrds) to /users/username(.xrds) than a whitelist for /users/* would be possible. What do you think?

Greetings, nougad

[dennisreimann]

Thanks a lot for your contribution, this looks good! Unfortunately I cannot pull this in unless you provide tests for the scenarios you've implemented. These are some important changes to how authentication works and I'd be glad to accept them, but we'll have to require some verification that this is working as expected. Thank you!

[nougad]

Yeah, of course your right. I was so stupid to not run the tests (neither writing some). I found some errors in my code but I found some errors in the main project to while I fixed the tests:

• nougad@d3f484e5fb2bbdbf9260e7261f868f8ea1bfc620
• nougad@51bec662a78c3bf55e6c1de8150b05ee0548f577
• nougad@5b239cabd80c27e2047bc493251bc66769363e9a

I try to write tests for my features in the next days.

[nougad]

OK, finally the unittests should cover everything. I tried to make some diagram (graphviz) for authentication. (see commit 40bf5cd0593622904e945e7da2dfe8359ba25b77). Perhaps this chart helps to understand. Please review the code. Any comments are welcome.

Only my problem with url's are still exist. What do you think about to move /username(.xrds) to /users/username(.xrds)?

---

I forgot to mention the output

"warning: peer certificate won't be verified in this SSL session"

when I test d5b335f8b3b96c19b15218aa67d27daf30022981 - Any Ideas?

[dennisreimann]

Thank you, Florian. I've applyed your changes to the integration branch and will review them. Can you help me with that, @djmaze ?

[dennisreimann]

For me the tests are working without the mentioned problem, but I'll investigate what's wrong with that.