Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
35a997774f
|
|||
|
08734cb82c
|
|||
|
875301b437
|
|||
|
da06065959
|
|||
|
fe007cbfe7
|
|||
|
e2d5ed21ad
|
|||
|
003c83da92
|
3
ENV.tmpl
3
ENV.tmpl
@ -1,9 +1,10 @@
|
||||
# copy to ENV and adjust values
|
||||
|
||||
export DB_HOST="172.16.10.18"
|
||||
export DB_USER="hausverwaltung-ui"
|
||||
export DB_USER="authservice-ui"
|
||||
export DB_PASS="test123"
|
||||
export DB_NAME="authservice"
|
||||
|
||||
# only required for decoding, on client side
|
||||
export JWT_SECRET='streng_geheim'
|
||||
export JWT_ISSUER='de.hottis.authservice'
|
||||
|
||||
14
asadduser.py
14
asadduser.py
@ -16,15 +16,11 @@ parser.add_argument('--password', '-p',
|
||||
parser.add_argument('--application', '-a',
|
||||
help='Application',
|
||||
required=True)
|
||||
parser.add_argument('--issuer', '-i',
|
||||
help='Issuer',
|
||||
required=True)
|
||||
|
||||
args = parser.parse_args()
|
||||
user = args.user
|
||||
password = args.password
|
||||
application = args.application
|
||||
issuer = args.issuer
|
||||
|
||||
|
||||
DB_USER = os.environ["DB_USER"]
|
||||
@ -43,13 +39,9 @@ try:
|
||||
|
||||
cur = conn.cursor()
|
||||
cur.execute("""
|
||||
INSERT INTO users (issuer, login, password)
|
||||
VALUES(
|
||||
(SELECT id FROM issuers WHERE name = ?),
|
||||
?,
|
||||
?
|
||||
)
|
||||
""", [issuer, user, pwhash])
|
||||
INSERT INTO users (login, pwhash)
|
||||
VALUES(?, ?)
|
||||
""", [user, pwhash])
|
||||
cur.execute("""
|
||||
INSERT INTO user_applications_mapping (application, user)
|
||||
VALUES(
|
||||
|
||||
21
auth.py
21
auth.py
@ -12,6 +12,9 @@ DB_PASS = os.environ["DB_PASS"]
|
||||
DB_HOST = os.environ["DB_HOST"]
|
||||
DB_NAME = os.environ["DB_NAME"]
|
||||
|
||||
JWT_ISSUER = os.environ["JWT_ISSUER"]
|
||||
JWT_SECRET = os.environ["JWT_SECRET"]
|
||||
|
||||
|
||||
class NoUserException(Exception):
|
||||
pass
|
||||
@ -23,7 +26,7 @@ class PasswordMismatchException(Exception):
|
||||
pass
|
||||
|
||||
|
||||
UserEntry = namedtuple('UserEntry', ['id', 'login', 'issuer', 'secret', 'expiry', 'claims'])
|
||||
UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims'])
|
||||
|
||||
|
||||
|
||||
@ -36,7 +39,7 @@ def getUserEntryFromDB(application: str, login: str):
|
||||
conn.autocommit = False
|
||||
|
||||
cur = conn.cursor(dictionary=True)
|
||||
cur.execute("SELECT id, password, issuer, secret, expiry FROM user_application_and_issuer " +
|
||||
cur.execute("SELECT id, pwhash, expiry FROM user_application" +
|
||||
" WHERE application = ? AND login = ?",
|
||||
[application, login])
|
||||
resObj = cur.next()
|
||||
@ -54,7 +57,7 @@ def getUserEntryFromDB(application: str, login: str):
|
||||
for claimObj in cur:
|
||||
print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"]))
|
||||
if claimObj["key"] in claims:
|
||||
if isinstance(claimObj["key"], list):
|
||||
if isinstance(claims[claimObj["key"]], list):
|
||||
claims[claimObj["key"]].append(claimObj["value"])
|
||||
else:
|
||||
claims[claimObj["key"]] = [ claims[claimObj["key"]] ]
|
||||
@ -62,11 +65,9 @@ def getUserEntryFromDB(application: str, login: str):
|
||||
else:
|
||||
claims[claimObj["key"]] = claimObj["value"]
|
||||
|
||||
userEntry = UserEntry(id=userId, login=login,
|
||||
secret=resObj["secret"], issuer=resObj["issuer"],
|
||||
expiry=resObj["expiry"], claims=claims)
|
||||
userEntry = UserEntry(id=userId, login=login, expiry=resObj["expiry"], claims=claims)
|
||||
|
||||
return userEntry, resObj["password"]
|
||||
return userEntry, resObj["pwhash"]
|
||||
except mariadb.Error as err:
|
||||
raise Exception("Error when connecting to database: {}".format(err))
|
||||
finally:
|
||||
@ -93,16 +94,16 @@ def generateToken(**args):
|
||||
|
||||
timestamp = int(time.time())
|
||||
payload = {
|
||||
"iss": userEntry.issuer,
|
||||
"iss": JWT_ISSUER,
|
||||
"iat": int(timestamp),
|
||||
"exp": int(timestamp + userEntry.expiry),
|
||||
"sub": str(userEntry.id)
|
||||
}
|
||||
for claim in userEntry.claims.items():
|
||||
# print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1]))
|
||||
payload["x-{}".format(claim[0])] = claim[1]
|
||||
payload[claim[0]] = claim[1]
|
||||
|
||||
return jwt.encode(payload, userEntry.secret)
|
||||
return jwt.encode(payload, JWT_SECRET)
|
||||
except NoUserException:
|
||||
print("ERROR: generateToken: no user found, login or application wrong")
|
||||
raise werkzeug.exceptions.Unauthorized()
|
||||
|
||||
@ -1,14 +1,5 @@
|
||||
CREATE TABLE `issuers` (
|
||||
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
|
||||
`name` varchar(128) NOT NULL,
|
||||
`secret` varchar(128) NOT NULL,
|
||||
`max_expiry` int(10) NOT NULL,
|
||||
CONSTRAINT PRIMARY KEY (`id`),
|
||||
CONSTRAINT UNIQUE KEY `uk_issuers_name` (`name`)
|
||||
) ENGINE=InnoDB;
|
||||
|
||||
ALTER TABLE `issuers`
|
||||
MODIFY COLUMN `max_expiry` int(10) unsigned NOT NULL;
|
||||
CREATE DATABASE `authservice`;
|
||||
USE `authservice`;
|
||||
|
||||
CREATE TABLE `applications` (
|
||||
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
|
||||
@ -20,36 +11,12 @@ CREATE TABLE `applications` (
|
||||
CREATE TABLE `users` (
|
||||
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
|
||||
`login` varchar(64) NOT NULL,
|
||||
`password` varchar(64) NOT NULL,
|
||||
`pwhash` varchar(64) NOT NULL,
|
||||
`expiry` int(10) unsigned NOT NULL DEFAULT 600,
|
||||
CONSTRAINT PRIMARY KEY (`id`),
|
||||
CONSTRAINT UNIQUE KEY `uk_users_login` (`login`)
|
||||
) ENGINE=InnoDB;
|
||||
|
||||
ALTER TABLE `users`
|
||||
ADD COLUMN issuer int(10) unsigned;
|
||||
|
||||
ALTER TABLE `users`
|
||||
MODIFY COLUMN issuer int(10) unsigned NOT NULL;
|
||||
|
||||
ALTER TABLE `users`
|
||||
ADD CONSTRAINT FOREIGN KEY `fk_users_issuer` (`issuer`)
|
||||
REFERENCES `issuers` (`id`);
|
||||
|
||||
ALTER TABLE `users`
|
||||
DROP CONSTRAINT `uk_users_login`;
|
||||
|
||||
ALTER TABLE `users`
|
||||
ADD CONSTRAINT UNIQUE KEY `uk_users_login_issuer` (`login`, `issuer`);
|
||||
|
||||
ALTER TABLE `users`
|
||||
ADD COLUMN expiry int(10) unsigned;
|
||||
|
||||
ALTER TABLE `users`
|
||||
MODIFY COLUMN expiry int(10) unsigned NOT NULL;
|
||||
|
||||
ALTER TABLE `users`
|
||||
MODIFY COLUMN expiry int(10) unsigned NOT NULL DEFAULT 600;
|
||||
|
||||
CREATE TABLE `claims` (
|
||||
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
|
||||
`key` varchar(64) NOT NULL,
|
||||
@ -88,19 +55,57 @@ CREATE OR REPLACE VIEW claims_for_user AS
|
||||
WHERE m.user = u.id AND
|
||||
m.claim = c.id;
|
||||
|
||||
CREATE OR REPLACE VIEW user_application_and_issuer AS
|
||||
CREATE OR REPLACE VIEW user_application AS
|
||||
SELECT u.login AS login,
|
||||
u.password AS password,
|
||||
u.pwhash AS pwhash,
|
||||
u.id AS id,
|
||||
a.name as application,
|
||||
i.name AS issuer,
|
||||
i.secret AS secret,
|
||||
least(u.expiry, i.max_expiry) AS expiry
|
||||
u.expiry AS expiry,
|
||||
a.name as application
|
||||
FROM users u,
|
||||
issuers i,
|
||||
applications a,
|
||||
user_applications_mapping m
|
||||
WHERE u.issuer = i.id AND
|
||||
u.id = m.user AND
|
||||
WHERE u.id = m.user AND
|
||||
a.id = m.application;
|
||||
|
||||
|
||||
CREATE USER 'authservice-ui'@'%' IDENTIFIED BY 'test123';
|
||||
GRANT SELECT ON `user_application` TO 'authservice-ui'@'%';
|
||||
GRANT SELECT ON `claims_for_user` TO 'authservice-ui'@'%';
|
||||
|
||||
CREATE USER 'authservice-cli'@'%' IDENTIFIED BY 'test123';
|
||||
GRANT INSERT ON `users` TO 'authservice-cli'@'%';
|
||||
GRANT INSERT ON `user_applications_mapping` TO 'authservice-cli'@'%';
|
||||
|
||||
FLUSH PRIVILEGES;
|
||||
|
||||
INSERT INTO `applications` (`name`) VALUES ('hv');
|
||||
|
||||
INSERT INTO `claims` (`key`, `value`) VALUES ('accesslevel', 'r');
|
||||
INSERT INTO `claims` (`key`, `value`) VALUES ('accesslevel', 'rw');
|
||||
|
||||
-- password is 'test123'
|
||||
INSERT INTO `users` (`login`, `pwhash`) VALUES ('wn', '$p5k2$186a0$dJXL0AjF$0HualDF92nyilDXPgSbaUn/UpFzSrpPx');
|
||||
INSERT INTO `user_applications_mapping` (`user`, `application`)
|
||||
VALUES(
|
||||
(SELECT `id` FROM `users` WHERE `login` = 'wn'),
|
||||
(SELECT `id` FROM `applications` WHERE `name` = 'hv')
|
||||
);
|
||||
INSERT INTO `user_claims_mapping` (`user`, `claim`)
|
||||
VALUES(
|
||||
(SELECT `id` FROM `users` WHERE `login` = 'wn'),
|
||||
(SELECT `id` FROM `claims` WHERE `key` = 'accesslevel' AND `value` = 'rw')
|
||||
);
|
||||
|
||||
-- password is 'geheim'
|
||||
INSERT INTO `users` (`login`, `pwhash`) VALUES ('gregor', '$p5k2$186a0$Tcwps8Ar$TsypGB.y1dCB9pWOPz2X2SsxYqrTn3Fv');
|
||||
INSERT INTO `user_applications_mapping` (`user`, `application`)
|
||||
VALUES(
|
||||
(SELECT `id` FROM `users` WHERE `login` = 'gregor'),
|
||||
(SELECT `id` FROM `applications` WHERE `name` = 'hv')
|
||||
);
|
||||
INSERT INTO `user_claims_mapping` (`user`, `claim`)
|
||||
VALUES(
|
||||
(SELECT `id` FROM `users` WHERE `login` = 'gregor'),
|
||||
(SELECT `id` FROM `claims` WHERE `key` = 'accesslevel' AND `value` = 'rw')
|
||||
);
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@ from flask_cors import CORS
|
||||
|
||||
# instantiate the webservice
|
||||
app = connexion.App(__name__)
|
||||
app.add_api('openapi.yaml', options = {"swagger_ui": False})
|
||||
app.add_api('openapi.yaml', options = {"swagger_ui": True})
|
||||
|
||||
# CORSify it - otherwise Angular won't accept it
|
||||
CORS(app.app)
|
||||
|
||||
Reference in New Issue
Block a user