Skosmos
Skosmos copied to clipboard
NatLibFi
(External) Authentication layer
Reasons for creating this PR
We are in need of a Skosmos instance that is not available for the public, but only available through an authentication layer (SimpleSamlPHP in our case).
Description of the changes in this PR
Added an authentication layer, with minimal changes in the existing model and controller classes.
Codecov Report
Merging #1337 (dfb2d29) into master (089b8f5) will decrease coverage by
0.82%. The diff coverage is9.80%.
@@ Coverage Diff @@
## master #1337 +/- ##
============================================
- Coverage 70.68% 69.85% -0.83%
- Complexity 1646 1667 +21
============================================
Files 32 33 +1
Lines 3786 3835 +49
============================================
+ Hits 2676 2679 +3
- Misses 1110 1156 +46
| Impacted Files | Coverage Δ | |
|---|---|---|
| controller/Auth/SimpleSamlPHP/SimpleSamlPHP.php | 0.00% <0.00%> (ø) |
|
| controller/Controller.php | 52.44% <7.14%> (-4.92%) |
:arrow_down: |
| model/BaseConfig.php | 71.42% <100.00%> (ø) |
|
| model/GlobalConfig.php | 89.09% <100.00%> (+0.20%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact),ø = not affected,? = missing dataPowered by Codecov. Last update 089b8f5...dfb2d29. Read the comment docs.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Kudos, SonarCloud Quality Gate passed! 
0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells
No Coverage information
0.0% Duplication
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for the PR @YOUR1 and sorry for the somewhat late response.
Can you explain why you decided to create an authentication layer in PHP? The alternative would be to configure Apache with authentication and authorization using one of the many mod_auth* modules. Of course this has its own limitations but at least it should be bullet-proof once configured since it protects a whole directory / URL space.
Thanks for the PR @YOUR1 and sorry for the somewhat late response.
Can you explain why you decided to create an authentication layer in PHP? The alternative would be to configure Apache with authentication and authorization using one of the many
mod_auth*modules. Of course this has its own limitations but at least it should be bullet-proof once configured since it protects a whole directory / URL space.
No problem. Using mod_auth implies that you are using apache2 as a webserver. That's obviously not always the case. Also; as you mentioned - mod_auth has its own limitations. We are using SimpleSamlPHP as a authentication backend for some of our clients; and mod_auth couldn't support that the way we wanted. Also; this adds more flexibility to add more/different authentication methods.
Authentication as part of Skosmos would make more sense if only some vocabularies are non-public. If everything is put behind login, a proxy would be a cleaner solution.
Authentication as part of Skosmos would make more sense if only some vocabularies are non-public.
Skosmos (and its REST API) still has global search and other ways to access combinations of vocabularies. Having to hide some vocabularies entirely from unauthorized would take a lot of work. Right now the assumption is that everything is public information.
Having to hide some vocabularies entirely from unauthorized would take a lot of work.
So then there is no need to add authentication functionality into Skosmos: the question of access is better solved on a different layer (e.g. webserver/proxy) than the PHP code of Skosmos. Just my 2 cents.