README.md 4.2 KB
Newer Older
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
1
2
3
4
5
6
# Method /auth for EIDA authentication

This projects is the implementation of the `/auth` method as described in EIDA.

Input : a signed token (validity will be checked by the program)

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
7
Output : a login and password in the `login:password` form
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
8
9
10

This login and password is valid for a certain amount of time (24h typically)

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
11
12
## Configuration

13
To configure the database connection, copy `configurations/default.py` to `configurations/production.py` for instance. Then edit the file with everything you need.
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
14

15
From the value of the `RUNMODE` environment variable, the name of the configuration file is choosen.
16
17

``` shell
18
RUNMODE=development python eidawsauth.py
19
20
```

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
21
22
23
24
25
## Database initialisation

### User and minimum privileges

``` sql
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
26
27
28
grant connect on database "resifAuth" to eidawsauth;
grant connect on database "resifInv-Prod" to eidawsauth;
\c "resifAuth"
29
grant select,insert,update,delete on table users,credentials TO eidawsauth ;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
30
31
grant select,update on sequence  users_user_index_seq TO eidawsauth ;
\c "resifInv-Prod"
32
33
grant select,insert,update,delete on table eida_temp_users TO eidawsauth;
grant select on table networks to eidawsauth;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
34
grant select,update on sequence aut_user_user_id_seq to eidawsauth ;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
35
36
37
38
39
```

### Expected tables schema

#### AUTHDB
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
40
41
Table `users`:
From the existing table, we have to add an `expires_at` column.
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
42

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
43
44
45
46
47
``` sql
alter table users add column if not exists expires_at timestamp default value null;
```

Table `credentials` :
48
49
50
``` sql
alter table credentials add column if not exists expires_at timestamp default value null;
```
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
51

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
52

53
54
#### PRIVILEDGEDB
Table `eida_temp_users` :
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
55
``` sql
56
alter table aut_user add column if not exists expires_at timestamp default value null;
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76


CREATE TABLE public.eida_temp_users (
    network text,
    start_year integer,
    end_year integer,
    name text,
    network_id bigint DEFAULT 0,
    expires_at timestamp without time zone
);

ALTER TABLE ONLY public.eida_temp_users
    ADD CONSTRAINT unique_privilege UNIQUE (name, network_id);

ALTER TABLE ONLY public.eida_temp_users
    ADD CONSTRAINT eida_temp_users_network_id_fkey FOREIGN KEY (network_id) REFERENCES public.networks(network_id) ON DELETE SET DEFAULT;


GRANT ALL ON TABLE public.eida_temp_users TO eidawsauth;
GRANT SELECT ON TABLE public.eida_temp_users TO resifinv_ro;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
77
```
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
78

79

80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
## Playing around

After the Database initialisation, the application can be run in a virtual environment.

``` shell
pip install -r requirements.txt
cd eidawsauth
FLASK_ENV=development RUNMODE=development python eidawsauth.py
```
Then, to send a post request :

``` shell
http localhost:8000/version
http POST localhost:8000 < token.asc
```

## Running tests

Jonathan Schaeffer's avatar
Doc    
Jonathan Schaeffer committed
98
99
100
101
102
103
104
105
106
107
## Configuration

The configuration is made through environment variables.

### Databases access
For convenience, all the database connection parameters (except password) are hardcoded when `RUNMODE` is set to `production` or `preproduction`

Look at `eidawsauth/config.py` to see the list en environments needed. Tere are sensitive defaults for RESIF.

Minimal environment for RESIF is 
108

Jonathan Schaeffer's avatar
Doc    
Jonathan Schaeffer committed
109
110
111
112
  * `RUNMODE`: set to `production` or `preproduction`
  * `PGPASSWORD`: if same user is set for both databases, this value will be used for both. Otherwise, set `RESIFINV_PGPASSWORD` and `RESIFAUTH_PGPASSWORD`
  
  
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
113

114
115
116
117
118
119
120
121
122
# Explanations

What does this program do ?

## Steps

0. Get all configurations and setup database connections
1. Read the data from POST request
   NOTE : We should put a size limit on the WSGI server
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
123
124
2. Verify the token's signature using the geofon public key
2. Parse the token's informations
125
3. Compute a random login and password
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
126
4. Register this in the resifAuth database, along with the `expires_at` value (24h)
127
128
5. From the `member-of` field in the token :
   - do the mapping from EPOS names to FDSN reference from the epos_fdsn table in the resifAuth database
129
     the FDSN reference is the network name, startyear, endyear
130
131
   - register the login along with the FDSN references and the expiration date in the resifInv-Prod database, table `access`
6. Return the `login:password` to the client
132
133
134
135
136
137
138
139
140
141
142
143

# Other methods

## /version

returns the version number and environment string.

## /cleanup

Remove old users, credentials and privileges.

It's probably a good idea to protect this method at the webserver level.