Development: Add documentation for authentication mechanisms

[SimonEntholzer]

Checklist

General

• This is a small issue that I tested locally and was confirmed by another developer on a test server.
• Language: I followed the guidelines for inclusive, diversity-sensitive, and appreciative language.
• I chose a title conforming to the naming conventions for pull requests.

Motivation and Context

We introduced the ability to admins to change the order of authentication mechanisms, and to toggle each of them.
Currently this feature is missing in the documentation.

Description

Adds the relevant documentation, for:

• The different authentication mechanisms, with their differences
• How to configure their order (by admins)

Steps for Testing

1. View the documentation and make sure it's comprehensible and understandable
2. Potentially make sure all linked pages work correctly (e.g. links leading to SSH documentation)

Testserver States

You can manage test servers using Helios. Check environment statuses in the environment list. To deploy to a test server, go to the CI/CD page, find your PR or branch, and trigger the deployment.

Review Progress

Only documentation

Code Review

• Review 1
• Review 2
• Review 3
• Review 4

Screenshots

-> open the deployed documentation

Summary by CodeRabbit

• New Features

  • Introduced a configuration option for repository authentication mechanisms (password, token, SSH) with customizable order.

• Documentation

  • Enhanced clarity on repository types and access rights, including a structured table for user roles.
  • Added detailed references and sections on authentication mechanisms, token management, and secure Git operations.

[coderabbitai]

Walkthrough

This pull request introduces a new configuration option for repository authentication in Artemis. The change adds the line repository-authentication-mechanisms: password,token,ssh in the application-local.yml file under the version-control section. Documentation in multiple files has been updated to explain the new configuration and detail repository access rights, authentication mechanisms, token usage, and SSH key configuration. New sections, headers, and cross-references have been added, while no existing functionality was removed.

Changes

Files	Change Summary
docs/dev/setup/integrated-code-lifecycle.rst, docs/dev/setup/server.rst	Added the configuration option repository-authentication-mechanisms: password,token,ssh in application-local.yml with an explanatory sentence.
docs/user/exercises/programming-repository-access.inc	Introduced a new section header _repository-types-and-access featuring a table that outlines repository types and associated role-based access rights.
docs/user/icl/general.rst	Added cross references to “Repository Authentication Mechanisms” and “Tokens” to enhance the ICL documentation.
docs/user/icl/local-vc-authentication.inc	Created new sections on “Authentication Mechanisms”, “Token Creation as Instructor”, and “Using SSH keys to secure Git operations”, along with updates to repository cloning instructions.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant Artemis
    participant VCS
    User->>Artemis: Request access to repository
    Artemis->>Artemis: Read configuration (password, token, SSH)
    Artemis-->>User: Display available auth methods (in configured order)
    User->>Artemis: Select authentication method (e.g., token)
    Artemis->>VCS: Authenticate using selected method
    VCS-->>Artemis: Return authentication result
    Artemis-->>User: Provide access response

Loading

Possibly related PRs

• Development: Improve LocalVC and SSH documentation #9394: The changes in the main PR, which add a new configuration option for repository authentication mechanisms in the application-local.yml file, are directly related to the modifications in the retrieved PR that enhance documentation on SSH and Local Version Control, as both involve authentication methods for accessing repositories.
• Development: Update documentation for localVC SSH setup #8835: The changes in the main PR regarding the addition of a new configuration option for repository authentication mechanisms are related to the updates in the retrieved PR that emphasize SSH access configuration for repositories, as both involve modifications to the application-local.yml file and the SSH setup documentation.

Suggested labels

component:Programming, ready to merge

Suggested reviewers

• b-fein
• JohannesStoehr
• coolchock
• dfuchss
• magaupp

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai or @coderabbitai title anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (5)

docs/user/icl/local-vc-authentication.inc (2)

43-46: Add explicit security recommendations.

While the document mentions preferences, it would be helpful to add explicit security recommendations. Consider adding a note about disabling password authentication in production environments.

 Therefore, the order of authentication mechanisms should be ideally set up in the following order: token, SSH, and lastly password, with the option to disable password authentication entirely.
+
+.. note:: For production environments, it is recommended to disable password authentication entirely and only allow token and SSH authentication methods.

---

6-7: Add configuration reference.

Add a reference to the configuration section for better discoverability.

 Artemis supports three mechanisms for authenticating to repositories: password authentication, token authentication and authentication via SSH.
-Admins can configure which mechanisms should be available for users, and the order in which they appear in the code button drop down, as described :ref:`here<Configure Artemis>`.
+Admins can configure which mechanisms should be available for users using the ``repository-authentication-mechanisms`` configuration option, and the order in which they appear in the code button drop down, as described :ref:`here<Configure Artemis>`.

docs/user/icl/general.rst (1)

11-12: Improve formatting consistency.

Align the description text for better readability.

-- :ref:`Repository Authentication Mechanisms<authentication-mechanisms>`:    The different available and configurable repository authentication mechanisms.
+- :ref:`Repository Authentication Mechanisms<authentication-mechanisms>`: The different available and configurable repository authentication mechanisms.

docs/dev/setup/integrated-code-lifecycle.rst (1)

45-46: Add configuration examples.

Consider adding examples of different authentication mechanism configurations to illustrate common use cases.

 # order and supported authentication mechanisms:
 repository-authentication-mechanisms: password,token,ssh
+# Example configurations:
+# Disable password authentication:
+# repository-authentication-mechanisms: token,ssh
+# Only allow token authentication:
+# repository-authentication-mechanisms: token

docs/dev/setup/server.rst (1)

47-47: Enhance Documentation Clarity for New Configuration Option

The new configuration option repository-authentication-mechanisms: password,token,ssh is added to specify the order of authentication mechanisms shown to users in the code button. This change is clear; however, consider adding a brief explanation or a link to further documentation on how each mechanism is used and why the order matters. This extra context would be beneficial for users configuring their application.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b015d33 and 1911094.

⛔ Files ignored due to path filters (3)

• docs/user/icl/local-vc/add-vcs-access-token.png is excluded by !**/*.png, !**/*.png
• docs/user/icl/local-vc/code-button-extended-authentication.png is excluded by !**/*.png, !**/*.png
• docs/user/icl/local-vc/ssh-add-public-key.png is excluded by !**/*.png, !**/*.png

📒 Files selected for processing (5)

• docs/dev/setup/integrated-code-lifecycle.rst (2 hunks)
• docs/dev/setup/server.rst (1 hunks)
• docs/user/exercises/programming-repository-access.inc (1 hunks)
• docs/user/icl/general.rst (1 hunks)
• docs/user/icl/local-vc-authentication.inc (3 hunks)

🔇 Additional comments (1)

docs/user/exercises/programming-repository-access.inc (1)

1-137: LGTM! Well-structured documentation.

The repository types, access rights, and roles are clearly documented with comprehensive tables and explanations.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/user/icl/local-vc-authentication.inc (2)

6-7: Add security recommendations and usage guidance.

Consider enhancing this introduction with:

1. Clear security recommendations for each authentication method
2. Specific guidance on when to use each method (e.g., development vs. production)

 Artemis supports three mechanisms for authenticating to repositories: password authentication, token authentication and authentication via SSH.
 Admins can configure which mechanisms should be available for users, and the order in which they appear in the code button drop down, as described :ref:`here<Configure Artemis>`.
+
+For security reasons, we recommend:
+* Using token authentication for most scenarios due to its balance of security and ease of use
+* Using SSH authentication for production environments or when handling sensitive data
+* Avoiding password authentication except when other methods are not available

---

119-121: Add information about recommended SSH key types.

Consider adding guidance about recommended SSH key types and algorithms for security best practices.

 Artemis provides a simple way for users to connect securely to repositories, using SSH to perform Git operations.
 Next is a :ref:`small and basic introduction to SSH<basic SSH introduction>`, and if you already know it, :ref:`here is a guide on how to create SSH keys<create ssh key>`.
 If you already have an SSH key, :ref:`learn how to add it to your Artemis account here<create ssh key>`.
+
+For optimal security, we recommend using:
+* ED25519 keys (preferred)
+* RSA keys with at least 3072 bits
+* Keys with passphrases for additional protection

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1911094 and 092c5ab.

📒 Files selected for processing (1)

• docs/user/icl/local-vc-authentication.inc (3 hunks)

🔇 Additional comments (2)

docs/user/icl/local-vc-authentication.inc (2)

93-93: LGTM! Security warning added as suggested.

The security warning about token handling has been added as recommended in previous reviews.

---

1-123: Overall documentation changes look good!

The documentation effectively explains the authentication mechanisms, provides clear instructions, and includes important security considerations. The structure is logical and the content is comprehensive.

[HanyangXu0508]

test localled and worked as expected

[az108]

Documentation easy to understand and LGTM 👍

[simonbohnen]

Documentation looks very nice and understandable 👌🏼

[Feras797]

well written documentation, LGTM!

[HawKhiem]

Documentation LGTM. Approve

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

docs/user/icl/local-vc-authentication.inc (3)

17-47: LGTM! Comprehensive comparison with clear recommendations.

The section effectively compares authentication methods and provides clear guidance on the recommended order. The security considerations are well-documented.

Consider adding a note about password manager integration for users who must use password authentication, to help them maintain strong, unique passwords:

 Password authentication remains the default but should be used with caution — admins are encouraged to disable it when possible or enforce strong password policies to enhance security.
+When using password authentication, it's recommended to use a password manager to generate and store strong, unique passwords.

---

48-87: LGTM! Clear cloning instructions for all authentication methods.

The instructions are well-organized and use appropriate placeholder values in examples.

Consider adding a note about the differences in URL format between authentication methods:

 Clone over SSH:
+
+.. note:: Notice that SSH URLs use a different format (ssh://) compared to HTTPS URLs. Make sure to use the correct format based on your chosen authentication method.

---

101-118: LGTM! Clear token creation instructions.

The instructions are well-organized and include helpful visual guidance.

Consider adding best practices for token management:

 2. Create a new token
+3. Consider adding a description to your token to track its purpose and usage
+4. Store the token securely as it won't be shown again

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 697d602 and ad696d3.

📒 Files selected for processing (1)

• docs/user/icl/local-vc-authentication.inc (1 hunks)

🔇 Additional comments (4)

docs/user/icl/local-vc-authentication.inc (4)

1-8: LGTM! Well-structured introduction.

The section provides a clear overview of authentication mechanisms and properly references the configuration documentation.

---

9-15: LGTM! Clear figure inclusion.

The figure is well-formatted with proper alt text and alignment, enhancing the documentation with visual context.

---

88-100: LGTM! Clear token documentation with proper security warning.

The section effectively explains token types and includes appropriate security warnings.

---

119-126: LGTM! Well-structured SSH key documentation.

The section provides a good introduction with appropriate cross-references to detailed guides.

[BBesrour]

lgtm, just a small nitpick

[simonbohnen]

Reapprove 👌🏼

[Feras797]

re-approve

[flbrgit]

Looks good 👍

[vinceclifford]

Looks good to me.

[magaupp]

Changes look good

[sawys777]

Great documentation