Implement /auth for EIDA
Project description
Method /auth for EIDA authentication
This projects is the implementation of the /auth
method as described in EIDA.
Input : a signed token (validity will be checked by the program)
Output : a login and password in the login:password
form
This login and password is valid for a certain amount of time (24h typically)
Playing around
pip install gunicorn httpie
gunicorn --reload -w 1 eidaws_auth:auth
Then, to send a post request :
http localhost:8000/version
http POST localhost:8000 < token.asc
Running tests
pip install -e .
pytest
Configuration
The conifguration is set in the eidawsauth/config.py
file.
There are 4 classes :
Config
: the root class with some defaultsProduction
: the configuration suitable for productionTest
: the configuration suitable for pytestDev
: the configuration for the developpment environment
You can choose the configuration class by setting up the RUNMODE
environment variable. Default value is DEVELOPMENT
RUNMODE=PRODUCTION gunicorn -w 4 eidaws_auth:aut
Database initialisation
User and minimum privileges
grant connect on database "resifAuth" to eidawsauth;
grant connect on database "resifInv-Prod" to eidawsauth;
\c "resifAuth"
grant select,insert,update,delete on table users,credentials TO eidawsauth ;
grant select,update on sequence users_user_index_seq TO eidawsauth ;
\c "resifInv-Prod"
grant select,insert,update,delete on table eida_temp_users TO eidawsauth;
grant select on table networks to eidawsauth;
grant select,update on sequence aut_user_user_id_seq to eidawsauth ;
Expected tables schema
AUTHDB
Table users
:
From the existing table, we have to add an expires_at
column.
alter table users add column if not exists expires_at timestamp default value null;
Table credentials
:
No modification to the resifAuth schema
PRIVILEDGEDB
Table aut_user
.
No modification to the resifInv-Prod schema.
Colonne | Type | Collationnement | NULL-able | Par défaut | Stockage |
------------+---------+-----------------+-----------+-------------------------------------------+----------+
user_id | integer | | not null | nextval('aut_user_user_id_seq'::regclass) | plain |
network_id | bigint | | | 0 | plain |
network | text | | not null | | extended |
start_year | integer | | not null | 0 | plain |
end_year | integer | | not null | 0 | plain |
name | text | | not null | | extended |
Index :
"aut_user_pkey" PRIMARY KEY, btree (user_id)
"uniq_aut_user" UNIQUE CONSTRAINT, btree (network, start_year, end_year, name)
Contraintes de clés étrangères :
"aut_user_network_id_fkey" FOREIGN KEY (network_id) REFERENCES networks(network_id) ON DELETE SET DEFAULT
Explanations
What does this program do ?
Steps
- Get all configurations and setup database connections
- Read the data from POST request NOTE : We should put a size limit on the WSGI server
- Verify the token's signature using the geofon public key
- Parse the token's informations
- Compute a random login and password
- Register this in the resifAuth database, along with the
expires_at
value (24h) - From the
member-of
field in the token :- do the mapping from EPOS names to FDSN reference from the epos_fdsn table in the resifAuth database the FDSN reference is the network name, startyear, endyear
- register the login along with the FDSN references and the expiration date in the resifInv-Prod database, table
access
- Return the
login:password
to the client
Other methods
/version
returns the version number and environment string.
/cleanup
Remove old users, credentials and privileges.
It's probably a good idea to protect this method at the webserver level.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.