[Freeipa-devel] [PATCH] [WIP] Firefox extension

Petr Vobornik pvoborni at redhat.com
Tue Oct 2 16:38:17 UTC 2012


This effort is still a WIP but I wanted to sent it to allow comments on 
chosen approaches.

You can visually check config pages on:
http://pvoborni.fedorapeople.org/config/unauthorized.html
resp. http://pvoborni.fedorapeople.org/config/browserconfig.html

Note that installation of ca.crt and extentsion won't work because 
fedorapeople server doesn't send proper headers.

If you wanto to build it and test it, to not mess up your FF profile, 
make a new one:
firefox -ProfileManager
firefox -P myprofilename --no-remote

So far I tested it only on FF15. It should be functional on FF4 and 
later but it most likely won't work on FF3.6 (doesn't support 
bootstrapping ext and xul overlay not tested). I will work on FF3.6 
support ASAP.

I didn't test installations of replicas.

Patch descriptions:

Kerberos authentication extension
---------------------------------

The extension should replace signed code (configure.jar) used for 
Firefox configuration. Using privileged code is not possible since 
Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used 
without browser restart on Firefox 4 and later.

How it works:
Extension listens on each page's document element for event 
'kerberos-auth-config' which should be raised on custom data element. 
Communication data is transferred through data element's attributes [3]. 
The only required attribute is 'method'. Currently there are two 
possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is 
installed. 'configure' method does the actual configuration. Possible 
optional options for 'configure' can be found in 
kerberosauth.js:kerberosauth.config_options. Currently they are: 
'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of 
a method is stored in data element's 'answer' attribute. When 
'configure' method is used, the extension asks the user if he wants to 
configure the browser, it should prevent silent configuration by 
malicious pages.

Possible enhancement:
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with 
enhanced config page)
* introspection of client (read ipa client install config and such)

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046
[3] 
https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages

Build and installation of Kerberos authentication extension
-----------------------------------------------------------

This patch is removing files associated with configure.jar and a build 
of configure.jar with a build of kerberosauth.xpi (FF Kerberos 
authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to 
allow signing of the extension by singing certificate. The signing might 
not be necessary because the only outcome is that in extension 
installation FF doesn't show that the maker is not verified. It shows 
text: 'Object signing cert'. This might be a bug in 
httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object 
Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase, 
which should make upgrades easier. Current implementation doesn't handle 
upgrades yet.

In order to keep extension and config pages not dependent on a realm, a 
krb.js.teplate file was created. This template is used for creating a 
/usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's 
realm and domain information. This information can be then used by 
config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

Configuration pages changed to use new FF extension
---------------------------------------------------

browserconfig.html was changed to use new FF extension. The page is 
completely Firefox specific therefore the title was changed from 
'Configure browser' to 'Firefox configuration'. Instruction to import CA 
cert in unauthorized.html are FF specific too, so they were moved to 
browserconfig.html. Unauthorized.html text was changed to distinguish FF 
config and other browsers. Now the page shows link for FF 
(browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html 
should be enhanced by more configurations and browsers later [1].

Unauthorized dialog in Web UI now links to http://../unauthorized.html 
instead of https. This change is done because of FF strange handling of 
extension installations from https sites [2]. Firefox allows ext. 
installation from https sites only when the certificate is signed by 
some build-in CA. To allow custom CAs an option in about:config has to 
be changed which don't help us at all because we wants to avoid manual 
changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 
Enhancements_v2.odt). It is not exactly the same. Highlighting of the 
steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383

-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0216-Kerberos-authentication-extension.patch
Type: text/x-patch
Size: 16183 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0217-Kerberos-authentication-extension-makefiles.patch
Type: text/x-patch
Size: 6404 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0218-Build-and-installation-of-Kerberos-authentication-ex.patch
Type: text/x-patch
Size: 12521 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0219-Configuration-pages-changed-to-use-new-FF-extension.patch
Type: text/x-patch
Size: 30228 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment-0003.bin>


More information about the Freeipa-devel mailing list