Maciej Pasternacki

Seriously, where did this half a week come from? I can understand periods of time disappearing, but half a week appearing out of nowhere is something new to me. But I won't complain – extra time is good. ;)

Pencils down now. Of course, project continues, but evaluations for Google will be based on what is done now, thus gsoc_2008_pencils_down tag in darcs. The second tag is much nicer, it's 1_0_rc1. I think I got to a passable 1.0 version now. It may need some more unit tests (as always), documentation polishing, most probably there may still be bugs, and I don't want to call it a full 1.0 version before using the library in some actual application. Besides that, feature-, documentation- and API-wise all seems to be complete.

Work done since last report

• Fixed some bugs, esp. portability to other Lisps
• Some polishing (dropping unnecessary format string/argument pairs, renaming accessors, dependency updates, things like this)
• Documentation!
• Some unit tests (not that much)

Problems

This “Problems” section will list what doesn't seem to be complete after the “pencils down” timestamp rather than current problems. Completing those will go into 1.1:

• Unit tests don't cover much of actual protocol code. Not sure exactly how to do this, and whether it's worth to do it. We'll see.
• YADIS (#7), and Relying Party discovery (#13). Yadis support should be moved to a separate library, and used for discovering Relying Party return_to endpoints.
• Random number generation (#14). The rfc1750 should be implemented as a separate library atop Ironclad for secure pseudo-random number generation. Currently plain CL:RANDOM is used, which is not acceptable for security-sensitive deployments.
• With regard to original proposal, most of portability has been deemed actually irrelevant. Web server portability has been achieved, web client and storage portability has been dropped. All storage is in-memory and that's enough (keeping user data is responsibility of library's user, and associations / nonces/ authentication processes can be kept in memory).
• API for 1.0 was deliberately kept as simple and small as possible to have any functioning relying party or provider. Intended side-effect is that it may not be flexible enough to support users' actual needs. I decided to keep API small and simple, and to extend it to actual users' requirements, instead of trying to get most comprehensive API ever. Not actually a problem, but connected with above (when need for HTTP client or storage portability will actually arise, it will be added).
• Relying Party and Provider are not separate systems; the specific RP/OP code is small, and the required libraries are common anyway. It will most probably stay this way.
• Logging. As for now, logging is responsibility of CL-OpenID user. Maybe it would be useful if library itself was able to log events. Not before 1.1, though.

Plans for future

Similarly to problems, final report's plans are also referring to the general future instead of next half-week. I intend to support the library, and use it in my own Web projects. Current state of code is labeled 1.0rc1; after some discussions with users, using CL-OpenID in own code, I will label it 1.0. It will need to wait a bit, as bugs and omissions will surely manifest. I expect to have final 1.0 in September. After that, issues listed in “Problems” section are more of a TODO list for 1.1. When that is done, some actual deployments will be already done, and I will be able to tell whether it's maintenance phase already, or should the development continue to 1.2 or 2.0.

So, that's it. Pencils down. Planet PLD and other planet spammage by these reports will cease (contrary to some comments, there seems to be no spammage anywhere else since about two weeks, when I stopped redirecting those posts to techblog; if I'm wrong, please correct me even if it's too late). Now, off to announce 1.0rc1 to the world!

Final weekend ahead. Finishing the code, writing tests, docs, ensuring consistency… 1.0 is definitely on the radars.

Work done since last report

• Discussed bugs, priorities and requirements for 1.0
• Fixed bugs (#9, #12, few unlisted ones)
• Added comments to example code, polished comments
• Added some exports (message API and AUTH-PROCESS accessors)
• Add a bunch of tests, especially for message API
• Started working on documentation (locally, not commited yet)

Problems

None

Plans for next half week

• Add thread-safety and dependency on bordeaux-threads
• Finish documentation
• More tests, as many as possible

Since Monday 19:00 UTC is Google's pencils down date, next report (and last one of this form) will be sent on Monday evening instead of usual Tuesday.

Final week ahead. Time to focus on documentation and polishing; some bugs still left, mostly nontrivial ones, and not everything is covered by unit tests, but core functionality and final (I think) API is in place.

Work done since last report

• Moved code to proper source files, finalized source layout (I think)
• Separated examples
• First-class RP and OP, finalize proposed API
• Some minor tweaks and doc/comment updates
• Exported basic proposed API
• Fixed most of remaining bugs

Problems

Some bugs still left. Mostly they are nontrivial and I am a bit afraid to destabilize the code in last days before the deadline. Relying party discovery will have to wait until after the deadline. However, I think at least some of them should be fixed; however, I will focus more on documentation and tests.

Plans for next half week

• Discuss API
• Documentation: finish docstrings, start a DOCUMENTATION-TEMPLATE-based doc
• If time permits, comment examples
• Add tests
• Fix some outstanding bugs and suggestions: thread-safety, maybe realm checking

Refactoring is approaching end. I hope to have it done on the weekend, and spend final week on documentation and examples.

Work done since last report

• Updated internal message API to take care of formatting URIs, integers, and octet vectors as strings
• Use message API throughout the code
• Minor comment/documentation updates

Problems

None.

Plans for next half week

Finish refactoring:

• First class OP and RP
• Separate example code
• Fix outstanding bugs from Trac
• Export symbols for final API

Work done since last report

• Add message utility functions and rewrite part of code to use those instead of list-level mangling
• Many minor bugfixes and cosmetic (formatting, naming consistency etc) fixes
• Comment and docstring fixes
• Fix possible DoS: Use counters instead of GENTEMP for generating unique IDs, don't inter endpoint URIs when associating
• Introduce and use AUTH-PROCESS structure instead of ID alist
• Update tests, add some for newly introduced functions

Problems

None.

Plans for next half week

• Write more tests
• More docstring fixes
• Introduce first-class RP and OP, if time permits
• Logging, if time permits

Work done since last report

• Discussed refactoring and final API, reaching conclusion on most issues
• A bit of general cleanup
• Docstring and comment additions
• More moving to shared.lisp
• Moved message-specific functions to message.lisp

Problems

Work actually done differs a bit from what I was planning to do mainly as a result of the discussion mentioned in previous section. The message class idea has been rejected since it was really a premature optimization (which, as we all know, is root of all evil) – so I backed out of it, and stayed with alists, but separated message-related code.

Plans for next half week

• Finish factoring out messages
• Tests!
• Authorization process structure (for what is called ID across the code)

Work done since last report

• Improved OpenID v1 compatibility in provider
• Moved general library functions to shared.lisp
• Few one-line fixes, cosmetics, docstrings, formatting etc
• (uncommited) Started work on MESSAGE structure, which will represent a single OpenID protocol message and will be one of base types after refactoring.

Problems

None whatsoever.

Plans for next half week

• Tests for shared.lisp functions
• Review existing tests, update or temporarily comment out outdated ones
• Finish MESSAGE structure and use it thorough prototypes
• Tests for MESSAGE class, if time permits

This report is a day late, but for good reason. For last few days I've been hunting bugs and edge cases for the provider prototype, and just finished it. It passes the server test at openidenabled.com and generally seems to work (at least for OpenID 2.0, 1.0 compatibility is not tested yet). So, it's just testing the 1.0 compatibility, and off to refactoring and polishing!

Work done since last report

• Fixed a bunch of minor bugs and typos
• Fixed the remaining bug in creating associations
• Support for successful response from the provider
• Support check_authentication and stateless mode
• Factor out responses to separate functions, introduce callbacks for user interaction

Problems

None, except the usual 90 / 10 Rule.

Plans for next half week

• 1.0 compatibility, probably
• Start refactoring: move out common parts of code to a single file
• If time permits, sketch an OO architecture and API for Relying Party

Work done since last report

• Finished and commited support for generating new associations
• In RP, display auth response verification errors
• Treat query parameters and addresses without trailing slash in RP return_to URI correctly
• Initial provider prototype (no positive assertions yet, only "cancel" and "setup_needed" responses)

Problems

Delay mentioned in earlier posts. I am working on catching up.

Plans for next half week

Finish OP prototype: construction of positive assertions, callback mechanism for end user interaction