- Change Summary:
-
This latest diff adds validation of the username regex entered in siteconfig form, and modifies X509Middleware to not execute any code if the X.509 authentication backend is disabled.
Adds ability to use x.509 certificates for authenticating users
Review Request #991 — Created Aug. 24, 2009 and submitted
These changes enable Review Board to use x.509 certificates to be used alongside the builtin username/password authentication backend. This functionality will be useful for deployments in environments with a Public Key Infrastructure set up. I deliberately avoided modifying post-review to support client certificates due to a lack of decent support for them in Python's high-level libraries. Instead, I modified the user preferences view to permit authenticated users to set their Django password. Django's built-in support for multiple authentication backends will then permit them to use the builtin auth backend with post-review. This diff was originally reviewed at http://reviews.review-board.org/r/938/
Tested on my test Review Board server, running Apache/mod_python,mod_ssl/Django 1.1.
NH
-
-
-
Wondering if we actually need to check for this. Presumably, if this code is even running, then this auth backend is configured. Otherwise it shouldn't be in the list.
-
-
-
-
It's possible that we may get something down the road that is actually a subclass of this request type, rather than being that request type itself. For this reason, I think it may be better if we import these classes directly and use isinstance() to check.
-
It'd be really nice if we didn't have to access _req directly. Can we use os.getenv()? It looks like ModPythonHandler actually copies _req.subprocess_env into os.environ.
-
If this is ever not a string, then the user did something custom and stupid, and we don't want to mask it. We probably shouldn't use str() here.