Fake.Deploy agent should require user authentication #232
Comments
|
I think this could be pretty easily added into the existing code by changing from HttpListener hosting to OWIN self-hosting (the Microsoft.Owin.Host.HttpListener host works well for my F# project) and then using an authentication middleware like Microsoft.Owin.Security.Basic for simple authentication. |
|
Is this stuff portable? |
|
As far as licensing is concerned, I'm not sure. However, I've been using those libraries just fine on my Mac with Mono 3.2.4. Nowin also works in place of Microsoft.Owin.Host.HttpListener if for some reason things don't work right on other platforms. |
|
What do others think is the best way to implement this? /cc @panesofglass @colinbull @max_malook |
|
/cc @mexx |
|
Now that I've looked around for it, seems like there's no actual Microsoft.Owin.Security.Basic package so we'd probably have to write the bits for that in the Owin pipeline. Maybe it is better to go with Nancy like @colinbull suggested, looks like the stateless auth feature could be helpful for that: https://github.com/NancyFx/Nancy/wiki/Stateless-Authentication |
|
That's why I cced @panesofglass. He wrote some F# related stuff in this
|
|
Both Katana and Nancy should work, and Katana would be both lighter and has the security we would need. I was sure Basic was released. I'll see the team later today or tomorrow and can verify. I'll take a look at the implementation of Fake.Deploy.Web in a bit. |
|
Is that an MVC app? If so, we will need to go with something else, as MVC won't run on OWIN. Web API with the Razor formatter would be closest, but Nancy and Simple.Web are also nice options. |
|
I think the website and the agent are two separate apps. Probably don't need to change the website at all since it already has authentication (looks like ASP.NET Membership). The Fake.Deploy agent app seems to be a standalone app with an HttpListener, so OWIN or Nancy would be fine so long as the actual credential checking is done against the same DB used for the site. |
|
Currently there are two scenarios for deployment of a package.
In both scenarios it's crucial to be sure that the initiator is allowed to deploy and the content of the package don't get manipulated on transport. @panesofglass Fake.Deploy.Agent is a service/daemon which utilizes HttpListener. |
|
I agree that it's not necessary to use the same DB, it would just be a matter of convenience to have the same credentials. However I do like your idea about signing the payload so that it can be verified by the agent. That could mitigate the need for credential-based authentication and probably simplify agent deployment if you don't actually need the web frontend running on the remote server. |
|
+1 I really like the idea of signing the payload. However I still think we On Wed, Nov 20, 2013 at 8:09 PM, David Wilson [email protected]:
|
|
Would client cert work? |
|
Yep.. I think so. On Thu, Nov 21, 2013 at 9:08 AM, Ryan Riley [email protected]:
|
|
Saw that this bug was just added to the GitHub "Up for Grabs" list, cool! I was planning on trying to add support for the auth stuff myself over the Thanksgiving holiday, has anyone else already started on it? |
|
Go for it |
|
Any news?? |
|
I'm a terrible person for letting this linger so long, sorry about that. I changed directions majorly in my project development about a month after I posted this, so I ended up not even using F# or FAKE for my project. Hopefully someone else has a similar need as I did and can come help implement this authentication! |
|
I think now we have NancyFx as the web interface we can just enable, this can't we. Just guessing? |
|
/cc @MorganPersson |
|
I'm on it :-) |
|
Closing old issue |
Right now the Fake.Deploy.Web code has user authentication but the deployment agent itself does not. This could be pretty risky if the agent is exposed to the public internet, so it'd be nice if some form of authentication could be added to secure deployment requests.
Thanks!
The text was updated successfully, but these errors were encountered: