README.md 4.77 KB
Newer Older
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
1
2
3
4
5
6
# Method /auth for EIDA authentication

This projects is the implementation of the `/auth` method as described in EIDA.

Input : a signed token (validity will be checked by the program)

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
7
Output : a login and password in the `login:password` form
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
8
9
10

This login and password is valid for a certain amount of time (24h typically)

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
11
12
## Configuration

13
To configure the database connection, copy `configurations/default.py` to `configurations/production.py` for instance. Then edit the file with everything you need.
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
14

15
From the value of the `RUNMODE` environment variable, the name of the configuration file is choosen.
16
17

``` shell
18
RUNMODE=development python eidawsauth.py
19
20
```

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
21
22
23
24
25
## Database initialisation

### User and minimum privileges

``` sql
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
26
27
28
grant connect on database "resifAuth" to eidawsauth;
grant connect on database "resifInv-Prod" to eidawsauth;
\c "resifAuth"
29
grant select,insert,update,delete on table users,credentials TO eidawsauth ;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
30
31
grant select,update on sequence  users_user_index_seq TO eidawsauth ;
\c "resifInv-Prod"
32
33
grant select,insert,update,delete on table eida_temp_users TO eidawsauth;
grant select on table networks to eidawsauth;
34
grant select on table resif_users to eidawsauth;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
35
grant select,update on sequence aut_user_user_id_seq to eidawsauth ;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
36
37
38
39
40
```

### Expected tables schema

#### AUTHDB
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
41
42
Table `users`:
From the existing table, we have to add an `expires_at` column.
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
43

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
44
45
46
47
48
``` sql
alter table users add column if not exists expires_at timestamp default value null;
```

Table `credentials` :
49
50
51
``` sql
alter table credentials add column if not exists expires_at timestamp default value null;
```
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
52

Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
53

54
55
#### PRIVILEDGEDB
Table `eida_temp_users` :
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
56
``` sql
57
alter table aut_user add column if not exists expires_at timestamp default value null;
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77


CREATE TABLE public.eida_temp_users (
    network text,
    start_year integer,
    end_year integer,
    name text,
    network_id bigint DEFAULT 0,
    expires_at timestamp without time zone
);

ALTER TABLE ONLY public.eida_temp_users
    ADD CONSTRAINT unique_privilege UNIQUE (name, network_id);

ALTER TABLE ONLY public.eida_temp_users
    ADD CONSTRAINT eida_temp_users_network_id_fkey FOREIGN KEY (network_id) REFERENCES public.networks(network_id) ON DELETE SET DEFAULT;


GRANT ALL ON TABLE public.eida_temp_users TO eidawsauth;
GRANT SELECT ON TABLE public.eida_temp_users TO resifinv_ro;
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
78
```
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
79

80
81
82
83
84
85
86
87
88
89
90
91
92
Table `epos_network_map`

``` sql
create table epos_network_map (
    epos_network_map_id bigint generated always as identity,
    epos_name text, network_id bigint,
    created_at timestamp with time zone default now(),
    updated_at timestamp with time zone default now(),
    primary key(epos_network_map_id),
    constraint fk_network foreign  key(network_id) references networks(network_id) );
grant select on epos_network_map to eidawsauth;
insert into epos_network_map (epos_name, network_id) values ('/epos/alparray', 34);
```
93

94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
## Playing around

After the Database initialisation, the application can be run in a virtual environment.

``` shell
pip install -r requirements.txt
cd eidawsauth
FLASK_ENV=development RUNMODE=development python eidawsauth.py
```
Then, to send a post request :

``` shell
http localhost:8000/version
http POST localhost:8000 < token.asc
```

## Running tests

Jonathan Schaeffer's avatar
Doc    
Jonathan Schaeffer committed
112
113
114
115
116
117
118
119
120
121
## Configuration

The configuration is made through environment variables.

### Databases access
For convenience, all the database connection parameters (except password) are hardcoded when `RUNMODE` is set to `production` or `preproduction`

Look at `eidawsauth/config.py` to see the list en environments needed. Tere are sensitive defaults for RESIF.

Minimal environment for RESIF is 
122

Jonathan Schaeffer's avatar
Doc    
Jonathan Schaeffer committed
123
124
125
126
  * `RUNMODE`: set to `production` or `preproduction`
  * `PGPASSWORD`: if same user is set for both databases, this value will be used for both. Otherwise, set `RESIFINV_PGPASSWORD` and `RESIFAUTH_PGPASSWORD`
  
  
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
127

128
129
130
131
132
133
134
135
136
# Explanations

What does this program do ?

## Steps

0. Get all configurations and setup database connections
1. Read the data from POST request
   NOTE : We should put a size limit on the WSGI server
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
137
138
2. Verify the token's signature using the geofon public key
2. Parse the token's informations
139
3. Compute a random login and password
Jonathan Schaeffer's avatar
Jonathan Schaeffer committed
140
4. Register this in the resifAuth database, along with the `expires_at` value (24h)
141
142
5. From the `member-of` field in the token :
   - do the mapping from EPOS names to FDSN reference from the epos_fdsn table in the resifAuth database
143
     the FDSN reference is the network name, startyear, endyear
144
145
   - register the login along with the FDSN references and the expiration date in the resifInv-Prod database, table `access`
6. Return the `login:password` to the client
146
147
148
149
150
151
152
153
154
155
156
157

# Other methods

## /version

returns the version number and environment string.

## /cleanup

Remove old users, credentials and privileges.

It's probably a good idea to protect this method at the webserver level.