Should we create a shared net-sasl gem? #23

nevans · 2021-04-28T23:05:30Z

Currently, the following gems duplicate partial support for a small subset of SASL mechanisms:

net-imap
net-smtp
net-pop (it's actually missing, but it should be in there)
net-ldap
blather (XMPP)
memcached
dalli (another memcached client)
...and probably many others.

This duplication and incomplete support basically defeats the purpose of SASL. It seems to me that SASL is used in a wide enough number of internet protocols that some level of SASL support should be in stdlib. See e.g. it's in java standard edition

We could start with a very simple API, which only handles client-side authentication and doesn't do much more than Net::IMAP already does. Simply providing a standard for pluggable support is useful. E.g here's a starter proposal:

class Net::SASL::Registry to allow non-global config, so e.g. a mechanism could be added to Net::IMAP without affecting other libraries.
- #add_authenticator(name, mechanism_class)
- #authenticator(name, *args)
- both of these methods would also be available from a global registry on Net::SASL
Net::SASL::Authenticator interface (can provide a super-class with NotImplementedError on perform):
- #initialize(*credentials, uri: nil)
  - some mechanisms require the host and port, and supporting that in the generic interface simplifies making clients work properly regardless of which mechanism is selected.
- #supports_initial_response?
- #process(challenge) - just as with Net::IMAP. IR sends a nil challenge
- #done? - for mechanisms implementing a state machine, users of the library can know it is done without needing to call #perform and catch an exception.
- respond_to?(...)could be used for backwards compatibility with Net::IMAP authenticators which haven't yet been updated to add supports_initial_response? or #done?.
utility methods:
- Net::SASL.saslprep(string) - implements RFC4013, which is required by some mechanisms and recommended for others

And, of course, we could start by adding the existing Net::IMAP mechanisms. But it would be simple and very useful to add OAUTHBEARER and some others as well.

I've marked #22 as a draft, pending some discussion about this. Is this the correct place to discuss this? Should I create a ticket in the ruby issue tracker?

The text was updated successfully, but these errors were encountered:

nevans · 2021-04-29T23:15:36Z

FYI: I pushed a proof of concept here: master...nevans:net-sasl

shugo · 2021-04-30T00:23:32Z

net-* are not bundled gems, but default gems now, so such a structural change may affect maintenance cost of Ruby releases.

@hsbt What do you think?

nevans · 2021-05-03T20:06:32Z

I definitely don't want to increase maintenance costs. But this functionality is already in default gems twice (net-imap and net-smtp) and it's noticeably missing from net-pop. It probably would've been added net-pop too... if a simple shared SASL library had existed. 😄 My hope is that this could maybe decrease overall maintenance cost across all three projects?

I've just released https://rubygems.org/gems/net-sasl v0.1.0, and I'll happily transfer ownership of the gem if the proposal is accepted. I've created a new branch which uses it (master...nevans:net-sasl-gem) and I can submit draft PRs to net-smtp and net-pop later in the week.

I was planning to add support for ANONYMOUS, EXTERNAL, XOAUTH, and OAUTHBEARER. And I noticed that the ruby-kafka gem has support for GSSAPI, SCRAM-SHA-256, and SCRAM-SHA-512, so those should be relatively simple to copy over as well. Of course these can just as easily be added to net-imap as to net-sasl, but with net-sasl we can make them automatically available to any library that uses it: IMAP, POP, SMTP, LDAP, XMPP, Kafka, etc.

What do you think?

shugo · 2021-05-06T00:38:52Z

I'm for your proposal, but I'm not a maintainer of net-smtp and net-pop, so I'll wait for replies to PRs to them.

nevans · 2021-05-06T13:51:58Z

Great, thanks. I'll put those PRs together when I have time (next week probably).

Neustradamus · 2022-01-12T04:28:13Z

To follow :)

This commit converts `#authenticate` to use `net-imap` as a generic fallback for mechanisms that haven't otherwise been added (as subclasses of `Authenticator`). In this commit, the original implementation is still used by `#authenticate` for the `PLAIN`, `LOGIN`, and `CRAM-MD5` mechanisms. Every other mechanism supported by `net-imap` v0.4.0 is added here: * `ANONYMOUS` * `DIGEST-MD5` _(deprecated)_ * `EXTERNAL` * `OAUTHBEARER` * `SCRAM-SHA-1` and `SCRAM-SHA-256` * `XOAUTH` **TODO:** Ideally, `net-smtp` and `net-imap` should both depend on a shared `sasl` or `net-sasl` gem, rather than keep the SASL implementation inside one or the other. See ruby/net-imap#23. **TODO:** since we already know the authenticator arguments up-front, we can validate authenticator arguments by simply creating the authenticator object and rely on the its initializer to raise ArgumentError for missing args.

This commit adds the `net-imap` as a default fallback for mechanisms that haven't otherwise been added. In this commit, the original implementation is still used by `#authenticate` for the `PLAIN`, `LOGIN`, and `CRAM-MD5` mechanisms. Every other mechanism supported by `net-imap` v0.4.0 is added here: * `ANONYMOUS` * `DIGEST-MD5` _(deprecated)_ * `EXTERNAL` * `OAUTHBEARER` * `SCRAM-SHA-1` and `SCRAM-SHA-256` * `XOAUTH` **TODO:** Ideally, `net-smtp` and `net-imap` should both depend on a shared `sasl` or `net-sasl` gem, rather than keep the SASL implementation inside one or the other. See ruby/net-imap#23.

This commit adds the `net-imap` as a default fallback for mechanisms that haven't otherwise been added. In this commit, the original implementation is still used by `#authenticate` for the `PLAIN`, `XOAUTH2`, `LOGIN`, and `CRAM-MD5` mechanisms. Every other mechanism supported by `net-imap` v0.4.0 is added here: * `ANONYMOUS` * `DIGEST-MD5` _(deprecated)_ * `EXTERNAL` * `OAUTHBEARER` * `SCRAM-SHA-1` and `SCRAM-SHA-256` **TODO:** Ideally, `net-smtp` and `net-imap` should both depend on a shared `sasl` or `net-sasl` gem, rather than keep the SASL implementation inside one or the other. See ruby/net-imap#23.

nevans assigned hsbt and shugo Apr 28, 2021

nevans mentioned this issue Apr 28, 2021

Extract authenticators to their own files #22

Merged

nevans added the SASL 🔒 Authentication and authentication mechanisms label Feb 12, 2023

nevans mentioned this issue Sep 25, 2023

[🚧 WIP] SASL refactoring and new mechanisms #78

Draft

37 tasks

nevans mentioned this issue Oct 9, 2023

Use a shared SASL implementation ruby/net-smtp#69

Draft

nevans mentioned this issue Oct 14, 2023

Forward-compatible SASL API ruby/net-smtp#68

Draft

nevans mentioned this issue Oct 15, 2023

✨ Add secret alias (for password, oauth2_token, etc) to relevant SASL mechanisms #195

Merged

nevans pinned this issue Oct 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Should we create a shared net-sasl gem? #23

Should we create a shared net-sasl gem? #23

nevans commented Apr 28, 2021 •

edited

Loading

nevans commented Apr 29, 2021

shugo commented Apr 30, 2021

nevans commented May 3, 2021 •

edited

Loading

shugo commented May 6, 2021

nevans commented May 6, 2021

Neustradamus commented Jan 12, 2022

Should we create a shared net-sasl gem? #23

Should we create a shared net-sasl gem? #23

Comments

nevans commented Apr 28, 2021 • edited Loading

nevans commented Apr 29, 2021

shugo commented Apr 30, 2021

nevans commented May 3, 2021 • edited Loading

shugo commented May 6, 2021

nevans commented May 6, 2021

Neustradamus commented Jan 12, 2022

nevans commented Apr 28, 2021 •

edited

Loading

nevans commented May 3, 2021 •

edited

Loading