fix

.gitignore

@@ -1,2 +1,6 @@
 __pycache__/
-ENV
+ENV
+config/
+*~
+.*~
+

Dockerfile

@@ -16,15 +16,17 @@ ENV JWT_SECRET='streng_geheim'
 
 RUN \
     apt update && \
-    apt install -y libmariadbclient-dev && \
-    pip3 install mariadb && \
+    apt install -y postgresql-client-common && \
+    pip3 install psycopg2 && \
+    pip3 install loguru && \
     pip3 install dateparser && \
     pip3 install connexion && \
     pip3 install connexion[swagger-ui] && \
     pip3 install uwsgi && \
     pip3 install flask-cors && \
     pip3 install six && \
-    pip3 install python-jose[cryptography]
+    pip3 install python-jose[cryptography] && \
+    pip3 install pbkdf2
 
 RUN \
     mkdir -p ${APP_DIR} && \

ENV.tmpl

@@ -1,9 +1,10 @@
 # copy to ENV and adjust values
 
 export DB_HOST="172.16.10.18"
-export DB_USER="hausverwaltung-ui"
+export DB_USER="authservice-ui"
 export DB_PASS="test123"
 export DB_NAME="authservice"
 
 # only required for decoding, on client side
 export JWT_SECRET='streng_geheim'
+export JWT_ISSUER='de.hottis.authservice'

asadduser.py

@@ -0,0 +1,59 @@
+#!/usr/bin/python
+
+import mariadb
+from pbkdf2 import crypt
+import argparse
+import os
+
+
+parser = argparse.ArgumentParser(description='asadduser')
+parser.add_argument('--user', '-u',
+                    help='Login', 
+                    required=True)
+parser.add_argument('--password', '-p',
+                    help='Password', 
+                    required=True)
+parser.add_argument('--application', '-a',
+                    help='Application', 
+                    required=True)
+
+args = parser.parse_args()
+user = args.user
+password = args.password
+application = args.application
+
+
+DB_USER = os.environ["DB_USER"]
+DB_PASS = os.environ["DB_PASS"]
+DB_HOST = os.environ["DB_HOST"]
+DB_NAME = os.environ["DB_NAME"]
+
+pwhash = crypt(password, iterations=100000)
+
+conn = None
+cur = None
+try:
+    conn = mariadb.connect(user = DB_USER, password = DB_PASS,
+                            host = DB_HOST, database = DB_NAME)
+    conn.autocommit = False
+
+    cur = conn.cursor()
+    cur.execute("""
+INSERT INTO users (login, pwhash)
+  VALUES(?, ?)
+""", [user, pwhash])
+    cur.execute("""
+INSERT INTO  user_applications_mapping (application, user)
+  VALUES(
+      (SELECT id FROM applications WHERE name = ?),
+      (SELECT id FROM users WHERE login = ?)
+  )
+""", [application, user])
+    conn.commit()
+finally:
+    if cur:
+        cur.close()
+    if conn:
+        conn.rollback()
+        conn.close()
+

auth.py

@@ -1,107 +1,371 @@
 import time
 import connexion
-from jose import JWTError, jwt
+from jose import JWTError, jwt, jwe
+import json
+from jose.exceptions import ExpiredSignatureError
 import werkzeug
 import os
-import mariadb
+import psycopg2
 from collections import namedtuple
+from pbkdf2 import crypt
+from loguru import logger
+import configparser
+import random
+import string
 
 
-DB_USER = os.environ["DB_USER"]
-DB_PASS = os.environ["DB_PASS"]
-DB_HOST = os.environ["DB_HOST"]
-DB_NAME = os.environ["DB_NAME"]
+DB_USER = ""
+DB_PASS = ""
+DB_HOST = ""
+DB_NAME = ""
+JWT_ISSUER = ""
+try:
+    DB_USER = os.environ["DB_USER"]
+    DB_PASS = os.environ["DB_PASS"]
+    DB_HOST = os.environ["DB_HOST"]
+    DB_NAME = os.environ["DB_NAME"]
+    JWT_ISSUER = os.environ["JWT_ISSUER"]
+except KeyError:
+    config = configparser.ConfigParser()
+    config.read('./config/config.ini')
+    DB_USER = config["database"]["user"]
+    DB_PASS = config["database"]["pass"]
+    DB_HOST = config["database"]["host"]
+    DB_NAME = config["database"]["name"]
+    JWT_ISSUER = config["jwt"]["issuer"]
 
 
-class NoUserException(Exception): pass
-class ManyUsersException(Exception): pass
+class NoUserException(Exception): 
+    pass
 
-UserEntry = namedtuple('UserEntry', ['id', 'login', 'issuer', 'secret', 'expiry', 'claims'])
+class RefreshTokenExpiredException(Exception): 
+    pass
+
+class NoTokenException(Exception): 
+    pass
+
+class NoValidTokenException(Exception): 
+    pass
+
+class ManyUsersException(Exception): 
+    pass
+
+class ManyTokensException(Exception): 
+    pass
+
+class PasswordMismatchException(Exception): 
+    pass
+
+class RefreshTokenExpiredException(Exception):
+    pass
 
 
+UserEntry = namedtuple('UserEntry', ['id', 'login', 'pwhash', 'expiry', 'claims'])
+RefreshTokenEntry = namedtuple('RefreshTokenEntry', ['id', 'salt', 'login', 'app', 'expiry'])
 
-def getUserEntryFromDB(login: str, password: str) -> UserEntry:
+JWT_PRIV_KEY = ""
+try:
+    JWT_PRIV_KEY = os.environ["JWT_PRIV_KEY"]
+except KeyError:
+    with open('./config/authservice.key', 'r') as f:
+        JWT_PRIV_KEY = f.read()
+
+JWT_PUB_KEY = ""
+try:
+    JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
+except KeyError:
+    with open('./config/authservice.pub', 'r') as f:
+        JWT_PUB_KEY = f.read()
+
+
+def getUserEntryFromDB(application: str, login: str):
     conn = None
     cur = None
     try:
-        conn = mariadb.connect(user = DB_USER, password = DB_PASS,
-                               host = DB_HOST, database = DB_NAME)
+        conn = psycopg2.connect(user = DB_USER, password = DB_PASS,
+                                host = DB_HOST, database = DB_NAME)
         conn.autocommit = False
 
-        cur = conn.cursor(dictionary=True)
-        # print("DEBUG: getUserEntryFromDB: login: <{}>, password: <{}>".format(login, password))
-        cur.execute("SELECT id, issuer, secret, expiry FROM user_and_issuer WHERE login = ? AND password = ?", 
-                    [login, password])
-        resObj = cur.next()
-        print("DEBUG: getUserEntryFromDB: resObj: {}".format(resObj))
-        if not resObj:
-            raise NoUserException()
-        invObj = cur.next()
-        if invObj:
-            raise ManyUsersException()
+        userObj = None
+        with conn.cursor() as cur:
+            cur.execute("SELECT id, pwhash, expiry FROM user_application_v" +
+                        "  WHERE application = %s AND login = %s", 
+                        (application, login))
+            userObj = cur.fetchone()
+            logger.debug("userObj: {}".format(userObj))
+            if not userObj:
+                raise NoUserException()
+            invObj = cur.fetchone()
+            if invObj:
+                raise ManyUsersException()
 
-        userId = resObj["id"]
-        cur.execute("SELECT user, `key`, `value` FROM claims_for_user where user = ?", 
-                    [userId])
         claims = {}
-        for claimObj in cur:
-            print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"]))
-            if claimObj["key"] in claims:
-                if isinstance(claimObj["key"], list):
-                    claims[claimObj["key"]].append(claimObj["value"])
+        with conn.cursor() as cur:
+            cur.execute('SELECT key, value FROM claims_for_user_v where "user" = %s and application = %s', 
+                        (userObj[0], application))
+            for claimObj in cur:
+                logger.debug("add claim {} -> {}".format(claimObj[0], claimObj[1]))
+                if claimObj[0] in claims:
+                    if isinstance(claims[claimObj[0]], list):
+                        claims[claimObj[0]].append(claimObj[1])
+                    else:
+                        claims[claimObj[0]] = [ claims[claimObj[0]] ]
+                        claims[claimObj[0]].append(claimObj[1])
                 else:
-                    claims[claimObj["key"]] = [ claims[claimObj["key"]] ]
-                    claims[claimObj["key"]].append(claimObj["value"])
-            else:
-                claims[claimObj["key"]] = claimObj["value"]
+                    claims[claimObj[0]] = claimObj[1]
                 
-        userEntry = UserEntry(id=userId, login=login, secret=resObj["secret"], 
-                              issuer=resObj["issuer"], expiry=resObj["expiry"], 
-                              claims=claims)
+        userEntry = UserEntry(id=userObj[0], login=login, pwhash=userObj[1], expiry=userObj[2], claims=claims)
 
         return userEntry
-    except mariadb.Error as err:
+    except psycopg2.Error as err:
+        raise Exception("Error when connecting to database: {}".format(err))
+    finally:
+        if conn:
+            conn.close()
+
+def getRefreshTokenFromDB(application, login):
+    conn = None
+    cur = None
+    try:
+        conn = psycopg2.connect(user = DB_USER, password = DB_PASS,
+                                host = DB_HOST, database = DB_NAME)
+        conn.autocommit = False
+
+        with conn:
+            with conn.cursor() as cur:
+                cur.execute('SELECT u.id, u.expiry, a.name FROM user_t u, application_t a, user_application_mapping_t m' +
+                            '  WHERE u.login = %s AND ' +
+                            '  a.name = %s AND ' +
+                            '  a.id = m.application AND u.id = m."user"', 
+                            (login, application))
+                userObj = cur.fetchone()
+                logger.debug("userObj: {}".format(userObj))
+                if not userObj:
+                    raise NoUserException()
+                invObj = cur.fetchone()
+                if invObj:
+                    raise ManyUsersException()
+
+            with conn.cursor() as cur:
+                salt = ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(64))
+                cur.execute('INSERT INTO token_t ("user", salt, expiry)  VALUES (%s, %s, %s) RETURNING id', 
+                            (userObj[0], salt, userObj[1]))
+                tokenObj = cur.fetchone()
+                logger.debug("tokenObj: {}".format(tokenObj))
+                if not tokenObj:
+                    raise NoTokenException()
+                invObj = cur.fetchone()
+                if invObj:
+                    raise ManyTokensException()
+
+        refreshTokenEntry = RefreshTokenEntry(id=tokenObj[0], salt=salt, login=login, app=userObj[2], expiry=userObj[1])
+
+        return refreshTokenEntry
+    except psycopg2.Error as err:
+        raise Exception("Error when connecting to database: {}".format(err))
+    finally:
+        if conn:
+            conn.close()
+
+def getUserEntry(application, login, password):
+    userEntry = getUserEntryFromDB(application, login)
+    if userEntry.pwhash != crypt(password, userEntry.pwhash):
+        raise PasswordMismatchException()
+    return userEntry
+
+def generateToken(func, **args):
+    try:
+        body = args["body"]
+
+        application = ""
+        login = ""
+        password = ""
+        if (("application" in body) and
+            ("login" in body) and
+            ("password" in body)):
+            application = body["application"]
+            login = body["login"]
+            password = body["password"]
+        elif ("encAleTuple" in body):
+            clearContent = jwe.decrypt(body["encAleTuple"], JWT_PRIV_KEY)
+            clearObj = json.loads(clearContent)
+            application = clearObj["application"]
+            login = clearObj["login"]
+            password = clearObj["password"]
+        else:
+            raise KeyError("Neither application, login and password nor encAleTuple given")
+        
+        logger.debug(f"Tuple: {application} {login} {password}")
+
+        return func(application, login, password)
+    except NoTokenException:
+        logger.error("no token created")
+        raise werkzeug.exceptions.Unauthorized()
+    except ManyTokensException:
+        logger.error("too many tokens created")
+        raise werkzeug.exceptions.Unauthorized()
+    except NoUserException:
+        logger.error("no user found, login or application wrong")
+        raise werkzeug.exceptions.Unauthorized()
+    except ManyUsersException:
+        logger.error("too many users found")
+        raise werkzeug.exceptions.Unauthorized()
+    except PasswordMismatchException:
+        logger.error("wrong password")
+        raise werkzeug.exceptions.Unauthorized()
+    except KeyError:
+        logger.error("application, login or password missing")
+        raise werkzeug.exceptions.Unauthorized()
+    except Exception as e:
+        logger.error("unspecific exception: {}".format(str(e)))
+        raise werkzeug.exceptions.Unauthorized()
+
+
+def _makeSimpleToken(application, login, password, refresh=False):
+    userEntry = getUserEntry(application, login, password) if not refresh else getUserEntryFromDB(application, login)
+
+    timestamp = int(time.time())
+    payload = {
+        "iss": JWT_ISSUER,
+        "iat": int(timestamp),
+        "exp": int(timestamp + userEntry.expiry),
+        "sub": str(userEntry.id),
+        "aud": application
+    }
+    logger.debug("claims: {}".format(userEntry.claims))
+    for claim in userEntry.claims.items():
+        logger.debug("add claim {}".format(claim))
+        payload[claim[0]] = claim[1]
+
+    return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
+
+def _makeRefreshToken(application, login, password):
+    refreshTokenEntry = getRefreshTokenFromDB(application, login)
+
+    timestamp = int(time.time())
+    payload = {
+        "iss": JWT_ISSUER,
+        "iat": int(timestamp),
+        "exp": int(timestamp + refreshTokenEntry.expiry),
+        "sub": str(refreshTokenEntry.login),
+        "xap": str(refreshTokenEntry.app),
+        "xid": str(refreshTokenEntry.id),
+        "xal": str(refreshTokenEntry.salt)
+    }
+
+    return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
+
+def _makeRefreshableTokens(application, login, password):
+    authToken = _makeSimpleToken(application, login, password)
+    refreshToken = _makeRefreshToken(application, login, password)
+    return {
+        "authToken": authToken,
+        "refreshToken": refreshToken
+    }
+
+def generateSimpleToken(**args):
+    return generateToken(_makeSimpleToken, **args)
+
+def generateRefreshableTokens(**args):
+    return generateToken(_makeRefreshableTokens, **args)
+
+def getPubKey():
+    return JWT_PUB_KEY
+
+def decodeToken(token):
+    try:
+        return jwt.decode(token, JWT_PUB_KEY, audience="test")
+    except JWTError as e:
+        logger.error("{}".format(e))
+        raise werkzeug.exceptions.Unauthorized()
+
+def testToken(user, token_info):
+    return {
+        "message": f"You are user_id {user} and the provided token has been signed by this issuers. Fine.",
+        "details": token_info
+    }
+
+
+def checkAndInvalidateRefreshToken(login, xid, xal):
+    conn = None
+    cur = None
+    try:
+        conn = psycopg2.connect(user = DB_USER, password = DB_PASS,
+                                host = DB_HOST, database = DB_NAME)
+        conn.autocommit = False
+
+        with conn:
+            with conn.cursor() as cur:
+                cur.execute('SELECT t.id FROM token_t t, user_t u' +
+                            '  WHERE t.id = %s AND ' +
+                            '        t.salt = %s AND ' +
+                            '        t."user" = u.id AND ' +
+                            '        u.login = %s',
+                            (xid, xal, login))
+                tokenObj = cur.fetchone()
+                logger.debug("tokenObj: {}".format(tokenObj))
+                if not tokenObj:
+                    raise NoTokenException()
+                invObj = cur.fetchone()
+                if invObj:
+                    raise ManyTokensException()
+
+            with conn.cursor() as cur:
+                cur.execute('UPDATE token_t SET used = used + 1 WHERE id = %s', 
+                            [ xid ])
+    except psycopg2.Error as err:
         raise Exception("Error when connecting to database: {}".format(err))
     finally:
-        if cur:
-            cur.close()
         if conn:
-            conn.rollback()
             conn.close()
 
 
-def getUserEntry(login: str, password: str) -> UserEntry:
-    return getUserEntryFromDB(login, password)
-
-
-def generateToken(**args):
+def refreshTokens(**args):
     try:
-        body = args["body"]
-        login = body["login"]
-        password = body["password"]
-        userEntry = getUserEntryFromDB(login, password)
+        refreshToken = args["body"]
+        refreshTokenObj = jwt.decode(refreshToken, JWT_PUB_KEY)
+        logger.info(str(refreshTokenObj))
 
-        timestamp = int(time.time())
-        payload = {
-            "iss": userEntry.issuer,
-            "iat": int(timestamp),
-            "exp": int(timestamp + userEntry.expiry),
-            "sub": str(userEntry.id)
+        if refreshTokenObj["exp"] < int(time.time()):
+            raise RefreshTokenExpiredException()
+
+        checkAndInvalidateRefreshToken(refreshTokenObj["sub"], refreshTokenObj["xid"], refreshTokenObj["xal"])
+
+        authToken = _makeSimpleToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "", refresh=True)
+        refreshToken = _makeRefreshToken(refreshTokenObj["xap"], refreshTokenObj["sub"], "")
+        return {
+            "authToken": authToken,
+            "refreshToken": refreshToken
         }
-        for claim in userEntry.claims.items():
-            # print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))
-            payload["x-{}".format(claim[0])] = claim[1]
-
-        return jwt.encode(payload, userEntry.secret)
+    except JWTError as e:
+        logger.error("jwt.decode failed: {}".format(e))
+        raise werkzeug.exceptions.Unauthorized()
+    except RefreshTokenExpiredException:
+        logger.error("refresh token expired")
+        raise werkzeug.exceptions.Unauthorized()
+    except NoTokenException:
+        logger.error("no token created/found")
+        raise werkzeug.exceptions.Unauthorized()
+    except NoValidTokenException:
+        logger.error("no valid token found")
+        raise werkzeug.exceptions.Unauthorized()
+    except ManyTokensException:
+        logger.error("too many tokens created/found")
+        raise werkzeug.exceptions.Unauthorized()
     except NoUserException:
-        print("ERROR: generateToken: no user found, login or password wrong")
+        logger.error("no user found, login or application wrong")
         raise werkzeug.exceptions.Unauthorized()
     except ManyUsersException:
-        print("ERROR: generateToken: too many users found")
+        logger.error("too many users found")
+        raise werkzeug.exceptions.Unauthorized()
+    except PasswordMismatchException:
+        logger.error("wrong password")
         raise werkzeug.exceptions.Unauthorized()
     except KeyError:
-        print("ERROR: generateToken: login or password missing")
+        logger.error("application, login or password missing")
         raise werkzeug.exceptions.Unauthorized()
     except Exception as e:
-        print("ERROR: generateToken: unspecific exception: {}".format(str(e)))
+        logger.error("unspecific exception: {}".format(str(e)))
         raise werkzeug.exceptions.Unauthorized()
+
+

build.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 
 IMAGE_NAME="registry.hottis.de/wolutator/authservice"
-VERSION=0.0.1
+VERSION=0.3.x
 
 docker build -t ${IMAGE_NAME}:${VERSION} .
-docker push ${IMAGE_NAME}:${VERSION}
+# docker push ${IMAGE_NAME}:${VERSION}
 

initial-schema.sql

@@ -1,81 +1,69 @@
-CREATE TABLE `issuers` (
-    `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
-    `name` varchar(128) NOT NULL,
-    `secret` varchar(128) NOT NULL,
-    `max_expiry` int(10) NOT NULL,
-    CONSTRAINT PRIMARY KEY (`id`),
-    CONSTRAINT UNIQUE KEY `uk_issuers_name` (`name`)
-) ENGINE=InnoDB;
+create sequence application_s start with 1 increment by 1;
+create table application_t (
+    id integer primary key not null default nextval('application_s'),
+    name varchar(128) not null unique
+);
 
-ALTER TABLE `issuers`
-  MODIFY COLUMN `max_expiry` int(10) unsigned NOT NULL;
+create sequence user_s start with 1 increment by 1;
+create table user_t (
+    id integer primary key not null default nextval('user_s'),
+    login varchar(64) not null unique,
+    pwhash varchar(64) not null,
+    expiry integer not null default 600
+);
 
-CREATE TABLE `users` (
-  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
-  `login` varchar(64) NOT NULL,
-  `password` varchar(64) NOT NULL,
-  CONSTRAINT PRIMARY KEY (`id`),
-  CONSTRAINT UNIQUE KEY `uk_users_login` (`login`)
-) ENGINE=InnoDB;
+create sequence token_s start with 1 increment by 1;
+create table token_t (
+    id integer primary key not null default nextval('token_s'),
+    "user" integer not null references user_t (id),
+    salt varchar(64) not null,
+    valid boolean not null default true
+);
 
-ALTER TABLE `users`
-  ADD COLUMN issuer int(10) unsigned;
-  
-ALTER TABLE `users`
-  MODIFY COLUMN issuer int(10) unsigned NOT NULL;
+create sequence claim_s start with 1 increment by 1;
+create table claim_t (
+    id integer primary key not null default nextval('claim_s'),
+    key varchar(64) not null,
+    value varchar(64) not null,
+    application integer not null references application(id),
+    unique (key, value)
+);
 
-ALTER TABLE `users`
-  ADD CONSTRAINT FOREIGN KEY `fk_users_issuer` (`issuer`)
-    REFERENCES `issuers` (`id`);
+create table user_claim_mapping_t (
+    "user" integer not null references user_t(id),
+    claim integer not null references claim_t(id),
+    unique ("user", claim)
+);
 
-ALTER TABLE `users`
-  DROP CONSTRAINT `uk_users_login`;
+create table user_application_mapping_t (
+    "user" integer not null references user_t(id),
+    application integer not null references application_t(id),
+    unique ("user", application)
+);
 
-ALTER TABLE `users`
-  ADD CONSTRAINT UNIQUE KEY `uk_users_login_issuer` (`login`, `issuer`);
+create or replace view claims_for_user_v as
+    select u.id as "user",
+           a.name as application,
+           c.key as key,
+           c.value as value
+      from user_t u,
+           claim_t c,
+           user_claim_mapping_t m,
+           application_t a
+      where m.user = u.id and
+            m.claim = c.id and 
+            a.id = c.application;
+   
+create or replace view user_application_v as
+    select u.login as login,
+           u.pwhash as pwhash,
+           u.id as id,
+           u.expiry as expiry,
+           a.name as application
+      from user_t u,
+           application_t a,
+           user_application_mapping_t m
+      where u.id = m.user and
+            a.id = m.application;
 
-ALTER TABLE `users`
-  ADD COLUMN expiry int(10) unsigned;
-  
-ALTER TABLE `users`
-  MODIFY COLUMN expiry int(10) unsigned NOT NULL;
-
-CREATE TABLE `claims` (
-    `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
-    `key` varchar(64) NOT NULL,
-    `value` varchar(1024) NOT NULL,
-    CONSTRAINT PRIMARY KEY (`id`),
-    CONSTRAINT UNIQUE KEY `uk_claims_key_value` (`key`, `value`)
-) ENGINE=InnoDB;
-
-CREATE TABLE `user_claims_mapping` (
-    `user` int(10) unsigned NOT NULL,
-    `claim` int(10) unsigned NOT NULL,
-    CONSTRAINT UNIQUE KEY `uk_user_claims_mapping` (`user`, `claim` ),
-    CONSTRAINT FOREIGN KEY `fk_user_claims_mapping_user` (`user`)
-        REFERENCES `users`(`id`),
-    CONSTRAINT FOREIGN KEY `fk_user_claims_mapping_claim` (`claim`)
-        REFERENCES `claims`(`id`)
-) ENGINE=InnoDB;
-
-CREATE OR REPLACE VIEW claims_for_user AS
-    SELECT u.id AS user, 
-           c.`key` AS `key`, 
-           c.`value` AS `value` 
-        FROM users u, 
-             claims c, 
-             user_claims_mapping m 
-        WHERE m.user = u.id AND
-              m.claim = c.id;
-
-CREATE OR REPLACE VIEW user_and_issuer AS   
-    SELECT u.login AS login,
-           u.password AS password,
-           u.id AS id,
-           i.name AS issuer,
-           i.secret AS secret,
-           least(u.expiry, i.max_expiry) AS expiry
-        FROM users u,
-             issuers i
-        WHERE u.issuer = i.id;
 

openapi.yaml

@@ -4,16 +4,18 @@ info:
   version: "0.1"
 
 paths:
-  /auth:
+  /token:
     post:
       tags: [ "JWT" ]
-      summary: Return JWT token
-      operationId: auth.generateToken
+      summary: Accepts encrypted or clear set of credentials, returns JWT token 
+      operationId: auth.generateSimpleToken
       requestBody:
         content:
           'application/json':
             schema:
-              $ref: '#/components/schemas/User'
+              anyOf:
+                - $ref: '#/components/schemas/User'
+                - $ref: '#/components/schemas/EncUser'
       responses:
         '200':
           description: JWT token
@@ -21,20 +23,69 @@ paths:
             'text/plain':
               schema:
                 type: string
-  /secret:
-    get:
+  /refreshable:
+    post:
       tags: [ "JWT" ]
+      summary: Accepts encrypted or clear set of credentials, returns tuple of AuthToken and RefreshToken
+      operationId: auth.generateRefreshableTokens
+      requestBody:
+        content:
+          'application/json':
+            schema:
+              anyOf:
+                - $ref: '#/components/schemas/User'
+                - $ref: '#/components/schemas/EncUser'
+      responses:
+        '200':
+          description: Token tuple
+          content:
+            'application/json':
+              schema:
+                $ref: '#/components/schemas/TokenTuple'
+  /refresh:
+    post:
+      tags: [ "JWT" ]
+      summary: Accepts refresh token, returns tuple of AuthToken and RefreshToken
+      operationId: auth.refreshTokens
+      requestBody:
+        content:
+          'text/plain':
+            schema:
+              $ref: '#/components/schemas/RefreshToken'
+      responses:
+        '200':
+          description: Token tuple
+          content:
+            'application/json':
+              schema:
+                $ref: '#/components/schemas/TokenTuple'
+  /test:
+    get:
+      tags: [ "Test" ]
       summary: Return secret string
-      operationId: test.getSecret
+      operationId: auth.testToken
       responses:
         '200':
           description: secret response
+          content:
+            'application/json':
+              schema:
+                $ref: '#/components/schemas/TestOutput'
+      security:
+      - jwt: ['secret']
+  /pubkey:
+    get:
+      tags: [ "JWT" ]
+      summary: Get the public key of this issuer
+      operationId: auth.getPubKey
+      responses:
+        '200':
+          description: public key
           content:
             'text/plain':
               schema:
                 type: string
-      security:
-      - jwt: ['secret']
+
 
 components:
   securitySchemes:
@@ -42,13 +93,44 @@ components:
       type: http
       scheme: bearer
       bearerFormat: JWT
-      x-bearerInfoFunc: test.decodeToken
+      x-bearerInfoFunc: auth.decodeToken
   schemas:
     User:
-      description: Login/Password tuple
+      description: Application/Login/Password tuple
       type: object
       properties:
+        application:
+          type: string
         login: 
           type: string
         password: 
           type: string
+    EncUser:
+      description: Encrypted Application/Login/Password tuple
+      type: object
+      properties:
+        encAleTuple:
+          type: string
+    TestOutput:
+      description: Test Output
+      type: object
+      properties:
+        message:
+          type: string
+        details:
+          type: object
+    AuthToken:
+      description: Token for authentication purposes, just a string
+      type: string
+    RefreshToken:
+      description: Token for refresh purposes, just a string
+      type: string
+    TokenTuple:
+      description: Test Output
+      type: object
+      properties:
+        authToken:
+          $ref: '#/components/schemas/AuthToken'
+        refreshToken:
+          $ref: '#/components/schemas/RefreshToken'
+

readme.md

@@ -0,0 +1,13 @@
+Generate the RSA key pair using:
+
+
+Private key (keep it secret!):
+
+   openssl genrsa -out authservice.key 2048
+
+
+Extract the public key (publish it):
+
+   openssl rsa -in authservice.pem -outform PEM -pubout -out authservice.pub
+
+

server.py

@@ -3,7 +3,7 @@ from flask_cors import CORS
 
 # instantiate the webservice
 app = connexion.App(__name__)
-app.add_api('openapi.yaml')
+app.add_api('openapi.yaml', options = {"swagger_ui": True})
 
 # CORSify it - otherwise Angular won't accept it
 CORS(app.app)

test.py

@@ -1,20 +1,8 @@
-from jose import JWTError, jwt
-import os
-import werkzeug
+import connexion
+import logging
 
+logging.basicConfig(level=logging.DEBUG)
 
-JWT_SECRET = os.environ['JWT_SECRET']
-
-def decodeToken(token):
-    try:
-        return jwt.decode(token, JWT_SECRET)
-    except JWTError as e:
-        print("ERROR: decodeToken: {}".format(e))
-        raise werkzeug.exceptions.Unauthorized()
-
-def getSecret(user, token_info):
-    return '''
-    You are user_id {user} and the secret is 'wbevuec'.
-    Decoded token claims: {token_info}.
-    '''.format(user=user, token_info=token_info)
-
+app = connexion.App('authservice')
+app.add_api('./openapi.yaml')
+app.run(port=8080)

testjwe.py

@@ -0,0 +1,28 @@
+import unittest
+from jose import jwe
+import os
+import json
+
+JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
+JWT_PRIV_KEY = os.environ["JWT_PRIV_KEY"]
+
+class JweTestMethods(unittest.TestCase):
+    def test_encryptDecrypt(self):
+        inObj = {"application":"hv2", "login":"wn", "password":"joshua"}
+        plainText = json.dumps(inObj)
+
+        cryptText = jwe.encrypt(plainText, JWT_PUB_KEY, "A256GCM", "RSA-OAEP")
+        print(cryptText)
+
+        clearText = jwe.decrypt(cryptText, JWT_PRIV_KEY)
+        print(clearText)
+
+        outObj = json.loads(clearText)
+        print(outObj)
+
+        self.assertEqual(outObj, inObj)
+
+
+
+if __name__ == '__main__':
+    unittest.main()