(External) Authentication layer

[YOUR1]

Reasons for creating this PR

We are in need of a Skosmos instance that is not available for the public, but only available through an authentication layer (SimpleSamlPHP in our case).

Description of the changes in this PR

Added an authentication layer, with minimal changes in the existing model and controller classes.

[codecov]

Codecov Report

Merging #1337 (dfb2d29) into master (089b8f5) will decrease coverage by 0.82%.
The diff coverage is 9.80%.

@@             Coverage Diff              @@
##             master    #1337      +/-   ##
============================================
- Coverage     70.68%   69.85%   -0.83%     
- Complexity     1646     1667      +21     
============================================
  Files            32       33       +1     
  Lines          3786     3835      +49     
============================================
+ Hits           2676     2679       +3     
- Misses         1110     1156      +46     

Impacted Files	Coverage Δ
controller/Auth/SimpleSamlPHP/SimpleSamlPHP.php	0.00% <0.00%> (ø)
controller/Controller.php	52.44% <7.14%> (-4.92%)	⬇️
model/BaseConfig.php	71.42% <100.00%> (ø)
model/GlobalConfig.php	89.09% <100.00%> (+0.20%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 089b8f5...dfb2d29. Read the comment docs.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

No Coverage information
0.0% Duplication

[osma]

Thanks for the PR @YOUR1 and sorry for the somewhat late response.

Can you explain why you decided to create an authentication layer in PHP? The alternative would be to configure Apache with authentication and authorization using one of the many mod_auth* modules. Of course this has its own limitations but at least it should be bullet-proof once configured since it protects a whole directory / URL space.

[YOUR1]

Thanks for the PR @YOUR1 and sorry for the somewhat late response.

Can you explain why you decided to create an authentication layer in PHP? The alternative would be to configure Apache with authentication and authorization using one of the many mod_auth* modules. Of course this has its own limitations but at least it should be bullet-proof once configured since it protects a whole directory / URL space.

No problem. Using mod_auth implies that you are using apache2 as a webserver. That's obviously not always the case. Also; as you mentioned - mod_auth has its own limitations. We are using SimpleSamlPHP as a authentication backend for some of our clients; and mod_auth couldn't support that the way we wanted. Also; this adds more flexibility to add more/different authentication methods.

[nichtich]

Authentication as part of Skosmos would make more sense if only some vocabularies are non-public. If everything is put behind login, a proxy would be a cleaner solution.

[osma]

Authentication as part of Skosmos would make more sense if only some vocabularies are non-public.

Skosmos (and its REST API) still has global search and other ways to access combinations of vocabularies. Having to hide some vocabularies entirely from unauthorized would take a lot of work. Right now the assumption is that everything is public information.

[nichtich]

Having to hide some vocabularies entirely from unauthorized would take a lot of work.

So then there is no need to add authentication functionality into Skosmos: the question of access is better solved on a different layer (e.g. webserver/proxy) than the PHP code of Skosmos. Just my 2 cents.