-
Notifications
You must be signed in to change notification settings - Fork 563
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Idp Account Name as key for credentials store #762
base: master
Are you sure you want to change the base?
Use Idp Account Name as key for credentials store #762
Conversation
The test path impacts Okta and OneLogin, which I couldn't test past the unit tests. It would be great to have someone who is using either of them to validate it! |
40ecd2a
to
c52b819
Compare
@wolfeidau WDYT about this PR? We're using it internally, it allows our AWS admins to use two different users simultaneously. |
This would be a useful change. Logging into Okta with For the moment, the workaround is to use |
15fcd0c
to
e00cb75
Compare
@wolfeidau have you had the chance to look at this PR? |
e00cb75
to
76bbe0e
Compare
Codecov ReportAttention: Patch coverage is
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #762 +/- ##
==========================================
+ Coverage 36.20% 36.50% +0.29%
==========================================
Files 53 55 +2
Lines 7951 8041 +90
==========================================
+ Hits 2879 2935 +56
- Misses 4703 4739 +36
+ Partials 369 367 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this still required?
I think so; currently for mac os the credentials are stored using the server name, which means you can't have two providers with the same server names. The use case is when you have multiple users for the same provider (common for infra staff). |
LGTM - @wolfeidau / @gliptak - any input on this? |
is this a breaking change for currently stored credentials? |
Yes it would, the name of the credential changes. This is the very problem this PR is fixing, but it would have an impact on users, i.e. credentials have to be entered again. We could make it so the credentials fall back to the old name if the new one doesn't exist, but it would have a side effect of keeping the same current behaviour for users who do need multiple credentials for a single IdP. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can introduce breaking changes without recourse to the code base. Although. the suggested feature makes sense, it will affect more people, and introduces the element of surprise without warning.
What would make sense it to sanely introduce these changes while preserving backwards compatibility. It might be good to start a discussion to see if the community will be willing to bear the change.
Thoughts?
Agreed on the element of surprise, though i think it could be justified to introduce it in a major update for instance. WDYT about the fallback scenario? Try the new credential names and if they don't exist try the old name? |
That seems fair enough - I could take that as a middle compromise. As long as it is not a breaking change, and existing installations will continue to function without users having to fudge around with their setups. I will also heavily defer to @gliptak and @wolfeidau on this |
I'll amend the PR with this in mind then. Need to dive back into it, it's been a while :-) |
👍 on the fallback approach proposed |
At the moment the credentials are stored using the idp server url as a primary key for the keychain store. This is very useful if you need to authenticate through different providers or environment (and thus different endpoints), however this prevents the use case where users may want to use different idp accounts to authenticate using different users. A typical example of this is that some users often have a normal user and an admin user with different properties, roles and limitations. This change is refactoring how credentials are stored across the code base to use the idp Name instead of the server URL.
This commit introduces a LegacyGet function for the keyring helpers. This function provides the backward compatible behaviour we're looking for while introducing a new keychain naming. For most keyring providers, the function is the same, though called with a different parameter name (idp name vs serverURL). However, for macs, the behaviour is slightly different as it uses a common key name (so you can never have more than one IdP). Added some tests for the LookupCredentials function.
f0738dd
to
ce74b2c
Compare
I've updated the PR with a few additional things:
|
@mapkon @wolfeidau @gliptak Lemme know what you think 😅 |
@sledigabel if there is LegacyGet, would there also be LegacyDelete (facilitating a transition into the new format)? |
So the reason this is configured in this way is because that is how Apple Keychain works, if you read the documentation for it https://developer.apple.com/documentation/security/keychain_services/keychain_items/adding_a_password_to_the_keychain So I didn't want to jam something different in just in case Apple added features in and around this construct, domain restrictions ect. The https://github.com/99designs/keyring which we use in saml2aws for linux and windows uses a newer interface, I have for some time wanted to remove all the DIRECT keychain stuff from saml2aws and just use this abstraction, which in turn uses "named services" instead of Host. Clearly there needs to be some communication of this change to users who were using host based model and happy, myself included as it will impact the majority of quite happy consumers! cc @sledigabel @gliptak Keen to hear peoples thoughts on this, encourage you to consider the silent majority :) PS. I need to dig more into how this change works BTW, just want to get some background for people. |
Hi @wolfeidau, Thanks for your insightful comment and the initial thoughts behind the osx keychain, Though it's not the initial goal of the PR, it's trying to address it by considering each keychain entry as a key/value (value being username/password) store. I appreciate this might be disruptive for existing users and was expecting some pushback on this, I was thinking this could be inserted as a future major version release, or like it did happen after the initial comments, find a way to make this backward compatible. On the OSX keychain bit, I didn't see the documentation indeed, thanks for the pointer. The route to choosing the idpName as an ID for the credentials made sense to me as it has to be unique for the saml2aws configuration, it's easier to find in the keychain itself and it's already providing a unique URL/username set too. I think the use of the keyring library as a unifier makes a lot of sense. |
I need to confirm this when I'm back, but I don't think Delete is called by anything else than the unit tests. Therefore it didn't make sense to keep it as users don't interact with the current or previous implementation. |
@mapkon @wolfeidau @gliptak please lemme know how you want to proceed on this. |
I will defer to @wolfeidau decision since he has more historical context (and technical gravitas) than me on this. I am happy to merge if he gives the go-ahead |
Hi @sledigabel, apologies for the delay in getting back to you. I had a discussion with @mapkon and we agreed to get this pull request going. There is currently a branch conflict, are you able to get it resolved? |
Hi @tinaboyce thanks for getting back on this, |
@tinaboyce I've not forgotten about this, but when I sat down to rebase I found out that some substantial changes were made and that brought new questions around unit testing. |
At the moment the credentials are stored using the idp server url as
a primary key for the keychain store.
This is very useful if you need to authenticate through different
providers or environment (and thus different endpoints), however this
prevents the use case where users may want to use different idp accounts
to authenticate using different users.
A typical example of this is that some users often have a normal user
and an admin user with different properties, roles and limitations.
This change is refactoring how credentials are stored across the code
base to use the idp Name instead of the server URL.
Tested on Linux and Mac with ADFS.