Should we create a shared net-sasl gem?

[nevans]

Currently, the following gems duplicate partial support for a small subset of SASL mechanisms:

• net-imap
• net-smtp
• net-pop (it's actually missing, but it should be in there)
• net-ldap
• blather (XMPP)
• memcached
• dalli (another memcached client)
• ...and probably many others.

This duplication and incomplete support basically defeats the purpose of SASL. It seems to me that SASL is used in a wide enough number of internet protocols that some level of SASL support should be in stdlib. See e.g. it's in java standard edition

We could start with a very simple API, which only handles client-side authentication and doesn't do much more than Net::IMAP already does. Simply providing a standard for pluggable support is useful. E.g here's a starter proposal:

• class Net::SASL::Registry to allow non-global config, so e.g. a mechanism could be added to Net::IMAP without affecting other libraries.
  • #add_authenticator(name, mechanism_class)
  • #authenticator(name, *args)
  • both of these methods would also be available from a global registry on Net::SASL
• Net::SASL::Authenticator interface (can provide a super-class with NotImplementedError on perform):
  • #initialize(*credentials, uri: nil)
    • some mechanisms require the host and port, and supporting that in the generic interface simplifies making clients work properly regardless of which mechanism is selected.
  • #supports_initial_response?
  • #process(challenge) - just as with Net::IMAP. IR sends a nil challenge
  • #done? - for mechanisms implementing a state machine, users of the library can know it is done without needing to call #perform and catch an exception.
  • respond_to?(...)could be used for backwards compatibility with Net::IMAP authenticators which haven't yet been updated to add supports_initial_response? or #done?.
• utility methods:
  • Net::SASL.saslprep(string) - implements RFC4013, which is required by some mechanisms and recommended for others

And, of course, we could start by adding the existing Net::IMAP mechanisms. But it would be simple and very useful to add OAUTHBEARER and some others as well.

I've marked #22 as a draft, pending some discussion about this. Is this the correct place to discuss this? Should I create a ticket in the ruby issue tracker?

• Extract authenticators to their own files #22
• 🔒⚗️ Add experimental SASL::ClientAdapter #183
• 🔒 SASL: Clarify usage of username vs authcid vs authzid #187
• ♻️ Use SASL::ClientAdapter #194
• ✨ Add secret alias (for password, oauth2_token, etc) to relevant SASL mechanisms #195

[nevans]

FYI: I pushed a proof of concept here: master...nevans:net-sasl

[shugo]

net-* are not bundled gems, but default gems now, so such a structural change may affect maintenance cost of Ruby releases.

@hsbt What do you think?

[nevans]

I definitely don't want to increase maintenance costs. But this functionality is already in default gems twice (net-imap and net-smtp) and it's noticeably missing from net-pop. It probably would've been added net-pop too... if a simple shared SASL library had existed. 😄 My hope is that this could maybe decrease overall maintenance cost across all three projects?

I've just released https://rubygems.org/gems/net-sasl v0.1.0, and I'll happily transfer ownership of the gem if the proposal is accepted. I've created a new branch which uses it (master...nevans:net-sasl-gem) and I can submit draft PRs to net-smtp and net-pop later in the week.

I was planning to add support for ANONYMOUS, EXTERNAL, XOAUTH, and OAUTHBEARER. And I noticed that the ruby-kafka gem has support for GSSAPI, SCRAM-SHA-256, and SCRAM-SHA-512, so those should be relatively simple to copy over as well. Of course these can just as easily be added to net-imap as to net-sasl, but with net-sasl we can make them automatically available to any library that uses it: IMAP, POP, SMTP, LDAP, XMPP, Kafka, etc.

What do you think?

[shugo]

I'm for your proposal, but I'm not a maintainer of net-smtp and net-pop, so I'll wait for replies to PRs to them.

[nevans]

Great, thanks. I'll put those PRs together when I have time (next week probably).

[Neustradamus]

To follow :)