Implement pluggable authentication and session support for replicator

Previously replicator used only basic authentication. It was simple and
straightforward. However, with PBKDF2 hashing becoming the default it would be
nice not to do all the password verification work with every single request,
and instead take advantage of session (cookie) based authentication.

This commit implements session based authentication via a plugin mechanism.
The list of available replicator auth modules is configurable. For example:

```
[replicator]
auth_plugins = couch_replicator_auth_session,couch_replicator_auth_basic
```

The plugins will be tried in order. The first one to successfully initialize
will end up being used for that endpoint (source or target).

During the initialization callback, a plugin could decide it cannot be used in
the current context. In that case it signals to be "ignored". The plugin
framework will then skip over it and try to initialize the next on in the list.

`couch_replicator_auth_basic` effectively implements the old behavior. This
plugin should normally be used as a default catch-all at the end of the plugin
list. In some cases, it might be useful to enforce exclusive use of
session-based auth and fail replication jobs if it is not available.

`couch_replicator_auth_session` does most of the work of handling session based
authentication. On initialization, it strips away basic auth credentials from
headers and url to avoid basic auth being used on the server. Then it is in
charge of periodically issuing POST requests to `_session`, updating the
headers of each request with the latest cookie value, and possibly picking up
new session cookie if the server can issue them along with reglar responses.

Currently session based auth plugin is not enabled by default and is an opt-in
feature. That is, users would have to explicitly add the session module to the
list of auth_plugins. In a future, session might be used by default.

As discussed in #1153 this work also removes OAuth 1.0 support. After
server-side support was removed, it had stopped working anyway since the main
oauth app was removed. However, with the plugin framework in place it would be
possible for someone to implement it as a separate module not entangled with
the rest of the replicator code.

Fixes #1153

1 files changed, 15 insertions, 0 deletions

diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini
index 4017a0c22..03f4d14e0 100644
--- a/rel/overlay/etc/default.ini
+++ b/rel/overlay/etc/default.ini
@@ -430,6 +430,21 @@ ssl_certificate_max_depth = 3
 ; Re-check cluster state at least every cluster_quiet_period seconds
 ; cluster_quiet_period = 60
 
+; List of replicator client authentication plugins to try. Plugins will be
+; tried in order. The first to initialize successfully will be used for that
+; particular endpoint (source or target). Normally couch_replicator_auth_noop
+; would be used at the end of the list as a "catch-all". It doesn't do anything
+; and effectively implements the previous behavior of using basic auth.
+; There are currently two plugins available:
+;   couch_replicator_auth_session - use _session cookie authentication
+;   couch_replicator_auth_noop - use basic authentication (previous default)
+; Currently previous default behavior is still the default. To start using
+; session auth, use this as the list of plugins:
+; `couch_replicator_auth_session,couch_replicator_auth_noop`.
+; In a future release the session plugin might be used by default.
+;auth_plugins = couch_replicator_auth_noop
+
+
 [compaction_daemon]
 ; The delay, in seconds, between each check for which database and view indexes
 ; need to be compacted.