[Freeipa-devel] [PATCH] [WIP] Firefox extension
Petr Vobornik
pvoborni at redhat.com
Tue Oct 2 16:38:17 UTC 2012
This effort is still a WIP but I wanted to sent it to allow comments on
chosen approaches.
You can visually check config pages on:
http://pvoborni.fedorapeople.org/config/unauthorized.html
resp. http://pvoborni.fedorapeople.org/config/browserconfig.html
Note that installation of ca.crt and extentsion won't work because
fedorapeople server doesn't send proper headers.
If you wanto to build it and test it, to not mess up your FF profile,
make a new one:
firefox -ProfileManager
firefox -P myprofilename --no-remote
So far I tested it only on FF15. It should be functional on FF4 and
later but it most likely won't work on FF3.6 (doesn't support
bootstrapping ext and xul overlay not tested). I will work on FF3.6
support ASAP.
I didn't test installations of replicas.
Patch descriptions:
Kerberos authentication extension
---------------------------------
The extension should replace signed code (configure.jar) used for
Firefox configuration. Using privileged code is not possible since
Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used
without browser restart on Firefox 4 and later.
How it works:
Extension listens on each page's document element for event
'kerberos-auth-config' which should be raised on custom data element.
Communication data is transferred through data element's attributes [3].
The only required attribute is 'method'. Currently there are two
possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is
installed. 'configure' method does the actual configuration. Possible
optional options for 'configure' can be found in
kerberosauth.js:kerberosauth.config_options. Currently they are:
'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of
a method is stored in data element's 'answer' attribute. When
'configure' method is used, the extension asks the user if he wants to
configure the browser, it should prevent silent configuration by
malicious pages.
Possible enhancement:
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with
enhanced config page)
* introspection of client (read ipa client install config and such)
Ticket: https://fedorahosted.org/freeipa/ticket/3094
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046
[3]
https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
Build and installation of Kerberos authentication extension
-----------------------------------------------------------
This patch is removing files associated with configure.jar and a build
of configure.jar with a build of kerberosauth.xpi (FF Kerberos
authentication extension).
Currently the build is done in install phase of FreeIPA server. It is to
allow signing of the extension by singing certificate. The signing might
not be necessary because the only outcome is that in extension
installation FF doesn't show that the maker is not verified. It shows
text: 'Object signing cert'. This might be a bug in
httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object
Signing Cert", ca_db)) The value is in place of hostname parameter.
If the extension is not signed, it can be created in rpm build phase,
which should make upgrades easier. Current implementation doesn't handle
upgrades yet.
In order to keep extension and config pages not dependent on a realm, a
krb.js.teplate file was created. This template is used for creating a
/usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's
realm and domain information. This information can be then used by
config pages by importing this file.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
Configuration pages changed to use new FF extension
---------------------------------------------------
browserconfig.html was changed to use new FF extension. The page is
completely Firefox specific therefore the title was changed from
'Configure browser' to 'Firefox configuration'. Instruction to import CA
cert in unauthorized.html are FF specific too, so they were moved to
browserconfig.html. Unauthorized.html text was changed to distinguish FF
config and other browsers. Now the page shows link for FF
(browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html
should be enhanced by more configurations and browsers later [1].
Unauthorized dialog in Web UI now links to http://../unauthorized.html
instead of https. This change is done because of FF strange handling of
extension installations from https sites [2]. Firefox allows ext.
installation from https sites only when the certificate is signed by
some build-in CA. To allow custom CAs an option in about:config has to
be changed which don't help us at all because we wants to avoid manual
changes in about:config.
The design of browserconfig is inspired by Kyle Baker's design (2.1
Enhancements_v2.odt). It is not exactly the same. Highlighting of the
steps wasn't used because in some cases we can switch some steps.
Ticket: https://fedorahosted.org/freeipa/ticket/3094
[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0216-Kerberos-authentication-extension.patch
Type: text/x-patch
Size: 16183 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0217-Kerberos-authentication-extension-makefiles.patch
Type: text/x-patch
Size: 6404 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0218-Build-and-installation-of-Kerberos-authentication-ex.patch
Type: text/x-patch
Size: 12521 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0219-Configuration-pages-changed-to-use-new-FF-extension.patch
Type: text/x-patch
Size: 30228 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20121002/eb1022a4/attachment-0003.bin>
More information about the Freeipa-devel
mailing list