threat-dragon
threat-dragon copied to clipboard
OWASP
Isolate Authentication and Repository
Describe what problem your feature request solves: In reviewing #629, #426 and #1 I believe we need to decouple Authentication from the Repository, in cases where it is sensible.
| Authentication | Repository | Status |
|---|---|---|
| Github | Github Repo | Implemented |
| Bitbucket | Bitbucket Repo | Implemented |
| AWS IAM | S3 | #426 requests |
| AWS IAM | AWS SQL | New |
| Azure | Azure Blob | New |
| Azure | Azure SQL | New |
| (Note - I am not proposing to build all of these combos!) |
Describe the solution you'd like:
- [ ] Enable either intermediate screens between Provider selection and Repo selection for choice of Repository (where appropriate) or rely upon property files only.
- [ ] Isolate the Provider and Repository coupling in Node - at present the authentication mechanism sets the repository, and they are 1-2-1.
Key Questions:
- Is there a valid use case here to have a single Authentication Provider enable access to multiple types of repository? (I am not anticipating multiple repositories within a threat dragon instance)
- Do we want end users/modellers, not deployers, to select between repository options themselves or defer this to config in deployment?
As always, happy to be told this is beyond the scope or vision of the platform.
Hello @steve-winter , this is certainly within scope and many thanks for proposing the solution. My view is that if it makes sense (and it seems to) then certainly start work on it and we can see how it feels to use. I have targeted it for version 2.2 to allow some time We have a configuration option for GitHub Enterprise, so that may complicate things or make the deployment config more attractive But personally I am happy with any solution, Threat Dragon is a community effort after all !
