Skip to main content

Implement /auth for EIDA

Project description

Method /auth for EIDA authentication

This projects is the implementation of the /auth method as described in EIDA.

Input : a signed token (validity will be checked by the program)

Output : a login and password in the login:password form

This login and password is valid for a certain amount of time (24h typically)

Playing around

pip install gunicorn httpie
gunicorn --reload -w 1 eidaws_auth:auth

Then, to send a post request :

http localhost:8000/version
http POST localhost:8000 < token.asc

Running tests

pip install -e .
pytest

Configuration

The conifguration is set in the eidawsauth/config.py file.

There are 4 classes :

  • Config : the root class with some defaults
  • Production : the configuration suitable for production
  • Test : the configuration suitable for pytest
  • Dev : the configuration for the developpment environment

You can choose the configuration class by setting up the RUNMODE environment variable. Default value is DEVELOPMENT

RUNMODE=PRODUCTION gunicorn -w 4 eidaws_auth:aut

Database initialisation

User and minimum privileges

grant connect on database "resifAuth" to eidawsauth;
grant connect on database "resifInv-Prod" to eidawsauth;
\c "resifAuth"
grant select,insert,update,delete on table users,credentials TO eidawsauth ;
grant select,update on sequence  users_user_index_seq TO eidawsauth ;
\c "resifInv-Prod"
grant select,insert,update,delete on table eida_temp_users TO eidawsauth;
grant select on table networks to eidawsauth;
grant select,update on sequence aut_user_user_id_seq to eidawsauth ;

Expected tables schema

AUTHDB

Table users: From the existing table, we have to add an expires_at column.

alter table users add column if not exists expires_at timestamp default value null;

Table credentials : No modification to the resifAuth schema

PRIVILEDGEDB

Table aut_user. No modification to the resifInv-Prod schema.

  Colonne   |  Type   | Collationnement | NULL-able |                Par défaut                 | Stockage |
------------+---------+-----------------+-----------+-------------------------------------------+----------+
 user_id    | integer |                 | not null  | nextval('aut_user_user_id_seq'::regclass) | plain    |
 network_id | bigint  |                 |           | 0                                         | plain    |
 network    | text    |                 | not null  |                                           | extended |
 start_year | integer |                 | not null  | 0                                         | plain    |
 end_year   | integer |                 | not null  | 0                                         | plain    |
 name       | text    |                 | not null  |                                           | extended |
Index :
    "aut_user_pkey" PRIMARY KEY, btree (user_id)
    "uniq_aut_user" UNIQUE CONSTRAINT, btree (network, start_year, end_year, name)
Contraintes de clés étrangères :
    "aut_user_network_id_fkey" FOREIGN KEY (network_id) REFERENCES networks(network_id) ON DELETE SET DEFAULT

Explanations

What does this program do ?

Steps

  1. Get all configurations and setup database connections
  2. Read the data from POST request NOTE : We should put a size limit on the WSGI server
  3. Verify the token's signature using the geofon public key
  4. Parse the token's informations
  5. Compute a random login and password
  6. Register this in the resifAuth database, along with the expires_at value (24h)
  7. From the member-of field in the token :
    • do the mapping from EPOS names to FDSN reference from the epos_fdsn table in the resifAuth database the FDSN reference is the network name, startyear, endyear
    • register the login along with the FDSN references and the expiration date in the resifInv-Prod database, table access
  8. Return the login:password to the client

Other methods

/version

returns the version number and environment string.

/cleanup

Remove old users, credentials and privileges.

It's probably a good idea to protect this method at the webserver level.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

eidawsauth-0.3.1.tar.gz (7.5 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page