[Pki-devel] [PATCH] 0005 TPS User Authenticator Framework

Endi Sukma Dewata edewata at redhat.com
Mon May 12 18:20:20 UTC 2014 

On 5/8/2014 10:52 PM, Christina Fu wrote:
> This patch implements ticket https://fedorahosted.org/pki/ticket/879 TPS
> Rewrite: Implement User Authentication
>
>      This patch provides the framework that allows people to
>      1. write their own authentication plugins using the authentication
>         plugin framework
>      2. map the authenticaiton credential from client side (e.g. ESC or
> alike)
>         in both display language characters and numbers of credential
> parameters
>         to the specified authentication plugin required parameters.
>
> I will create a separate ticket to provide plugin instruction much like
> http://pki.fedoraproject.org/wiki/PKI_Authentication_Plug-ins to RHCS
>
> Please review.
> Thanks!
> Christina

Some comments:

1. As discussed over IRC, there are legacy properties that should be 
updated so that the UI can manage the authenticator configuration.

   target.Authentication_Sources.displayname=Authentication Source
   target.Authentication_Sources.list=0,1
   target.Authentication_Sources.pattern=auth\.instance\.$name\..*

2. Also discussed over IRC, in AuthenticationManager initAuthInstances() 
the code ignores createAuthentication() failures and continues with the 
loop. I'd suggest we don't catch the exception so the problem can be 
detected early.

3. In general we should avoid using Hashtable because it's synchronized 
(i.e. slower). Unless synchronization is required, a HashMap or 
LinkedHashMap would be a better alternative. See:
http://stackoverflow.com/questions/40471/differences-between-hashmap-and-hashtable

4. Checking both for null and empty string can be simplified with 
StringUtils.isEmpty():
http://commons.apache.org/proper/commons-lang/javadocs/api-2.6/org/apache/commons/lang/StringUtils.html#isEmpty(java.lang.String)

   if (title == null || title.equals("")) {
   if (description == null || description.equals("")) {
   if (name == null || name.equals("")) {
   if (desc == null || desc.equals("")) {
   if (prefix == null || prefix.equals("")
       || tokenType == null || tokenType.equals("")) {
   if (op == null || op.equals("")
       || userAuth == null || userCred == null) {
   if (op == null || op.equals("") ||
     cuid == null || cuid.equals("") || auth == null || extensions == 
null) {
   if (title==null || title.equals(""))
   if (description==null || description.equals(""))
   if (parameters == null || title == null || title.equals("") ||
     description == null || description.equals("") || auth == null)

5. In TPSProcessor.authenticateUser() if aToken is null it will throw an 
exception, then the exception will be caught and thrown again.

     try {
         IAuthToken aToken = auth.authenticate(...);
         if (aToken != null)
             ...
         else {
             throw new TPSException(...);
         }
     } catch (Exception e) {
         throw new TPSException(...);
     }

To avoid this problem the code can be changed to only catch EBaseException.

Everything else is good. ACK.

-- 
Endi S. Dewata

More information about the Pki-devel mailing list