wn/authservice
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: wn:0.1.1
Branches Tags
wn:master
wn:0.5.1 wn:0.5.0 wn:0.4.5 wn:0.4.3 wn:0.4.2 wn:0.4.1 wn:0.4.0 wn:0.3.1 wn:0.3.0 wn:0.2.1 wn:0.2.0 wn:0.1.7 wn:0.1.6 wn:0.1.5 wn:0.1.4 wn:0.1.3 wn:0.1.2 wn:0.1.1 wn:0.1.0 wn:0.0.10 wn:0.0.9 wn:0.0.8 wn:0.0.7 wn:0.0.6 wn:0.0.5 wn:0.0.4 wn:0.0.3 wn:0.0.2 wn:0.0.1
..
compare: wn:0.2.1
Branches Tags
wn:master
wn:0.5.1 wn:0.5.0 wn:0.4.5 wn:0.4.3 wn:0.4.2 wn:0.4.1 wn:0.4.0 wn:0.3.1 wn:0.3.0 wn:0.2.1 wn:0.2.0 wn:0.1.7 wn:0.1.6 wn:0.1.5 wn:0.1.4 wn:0.1.3 wn:0.1.2 wn:0.1.1 wn:0.1.0 wn:0.0.10 wn:0.0.9 wn:0.0.8 wn:0.0.7 wn:0.0.6 wn:0.0.5 wn:0.0.4 wn:0.0.3 wn:0.0.2 wn:0.0.1

13 Commits
0.1.1 ... 0.2.1

Author SHA1 Message Date
Wolfgang Hottgenroth
19b8aab8c2 test 2021-05-11 16:52:41 +02:00
Wolfgang Hottgenroth
e0bc8371ac adjust for postgres 2021-05-11 16:48:02 +02:00
Wolfgang Hottgenroth
7346da8419 move to psycopg2 2021-05-11 15:16:13 +02:00
Wolfgang Hottgenroth
fd9b673df9 change to postgres 2021-05-11 14:31:22 +02:00
Wolfgang Hottgenroth
c7dbaeabbb add application as aud in token 2021-05-07 14:40:40 +02:00
Wolfgang Hottgenroth
0911a73085 fix 2021-05-07 14:06:18 +02:00
Wolfgang Hottgenroth
1de73e99e3 message 2021-05-07 14:05:57 +02:00
Wolfgang Hottgenroth
b44af0658a jwe 2021-05-07 13:28:12 +02:00
Wolfgang Hottgenroth
309b4c6ba8 authe 2021-05-07 12:24:59 +02:00
Wolfgang Hottgenroth
a921fb6a0f changes 2021-05-07 12:15:30 +02:00
Wolfgang Hottgenroth
f56db65012 pubkey stuff, remove debug 2021-05-06 16:55:39 +02:00
Wolfgang Hottgenroth
ef0793be4e pubkey stuff 2021-05-06 16:52:16 +02:00
Wolfgang Hottgenroth
3f2442e259 pubkey stuff 2021-05-06 16:50:17 +02:00
7 changed files with 165 additions and 174 deletions
Expand all files Collapse all files

5
Dockerfile
View File

@ -16,8 +16,9 @@ ENV JWT_SECRET='streng_geheim'
RUN \ RUN \
apt update && \ apt update && \
apt install -y libmariadbclient-dev && \ apt install -y postgresql-client-common && \
pip3 install mariadb && \ pip3 install psycopg2 && \
pip3 install loguru && \
pip3 install dateparser && \ pip3 install dateparser && \
pip3 install connexion && \ pip3 install connexion && \
pip3 install connexion[swagger-ui] && \ pip3 install connexion[swagger-ui] && \

106
auth.py
View File

@ -3,9 +3,10 @@ import connexion
from jose import JWTError, jwt from jose import JWTError, jwt
import werkzeug import werkzeug
import os import os
import mariadb import psycopg2
from collections import namedtuple from collections import namedtuple
from pbkdf2 import crypt from pbkdf2 import crypt
from loguru import logger
DB_USER = os.environ["DB_USER"] DB_USER = os.environ["DB_USER"]
DB_PASS = os.environ["DB_PASS"] DB_PASS = os.environ["DB_PASS"]
@ -28,67 +29,71 @@ class PasswordMismatchException(Exception):
pass pass
UserEntry = namedtuple('UserEntry', ['id', 'login', 'expiry', 'claims']) UserEntry = namedtuple('UserEntry', ['id', 'login', 'pwhash', 'expiry', 'claims'])
JWT_PRIV_KEY = "" JWT_PRIV_KEY = ""
with open('/opt/app/config/authservice.key', 'r') as f: try:
JWT_PRIV_KEY = f.read().replace('\n','') JWT_PRIV_KEY = os.environ["JWT_PRIV_KEY"]
except KeyError:
with open('/opt/app/config/authservice.key', 'r') as f:
JWT_PRIV_KEY = f.read()
JWT_PUB_KEY = "" JWT_PUB_KEY = ""
with open('/opt/app/config/authservice.pub', 'r') as f: try:
JWT_PUB_KEY = f.read().replace('\n','') JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
except KeyError:
with open('/opt/app/config/authservice.pub', 'r') as f:
JWT_PUB_KEY = f.read()
def getUserEntryFromDB(application: str, login: str): def getUserEntryFromDB(application: str, login: str):
conn = None conn = None
cur = None cur = None
try: try:
conn = mariadb.connect(user = DB_USER, password = DB_PASS, conn = psycopg2.connect(user = DB_USER, password = DB_PASS,
host = DB_HOST, database = DB_NAME) host = DB_HOST, database = DB_NAME)
conn.autocommit = False conn.autocommit = False
cur = conn.cursor(dictionary=True) userObj = None
cur.execute("SELECT id, pwhash, expiry FROM user_application" + with conn.cursor() as cur:
" WHERE application = ? AND login = ?", cur.execute("SELECT id, pwhash, expiry FROM user_application_v" +
[application, login]) " WHERE application = %s AND login = %s",
resObj = cur.next() (application, login))
print("DEBUG: getUserEntryFromDB: resObj: {}".format(resObj)) userObj = cur.fetchone()
if not resObj: logger.debug("getUserEntryFromDB: userObj: {}".format(userObj))
if not userObj:
raise NoUserException() raise NoUserException()
invObj = cur.next() invObj = cur.fetchone()
if invObj: if invObj:
raise ManyUsersException() raise ManyUsersException()
userId = resObj["id"]
cur.execute("SELECT user, `key`, `value` FROM claims_for_user where user = ?",
[userId])
claims = {} claims = {}
with conn.cursor() as cur:
cur.execute('SELECT key, value FROM claims_for_user_v where "user" = %s and application = %s',
(userObj[0], application))
for claimObj in cur: for claimObj in cur:
print("DEBUG: getUserEntryFromDB: add claim {} -> {}".format(claimObj["key"], claimObj["value"])) logger.debug("getUserEntryFromDB: add claim {} -> {}".format(claimObj[0], claimObj[1]))
if claimObj["key"] in claims: if claimObj[0] in claims:
if isinstance(claims[claimObj["key"]], list): if isinstance(claims[claimObj[0]], list):
claims[claimObj["key"]].append(claimObj["value"]) claims[claimObj[0]].append(claimObj[1])
else: else:
claims[claimObj["key"]] = [ claims[claimObj["key"]] ] claims[claimObj[0]] = [ claims[claimObj[0]] ]
claims[claimObj["key"]].append(claimObj["value"]) claims[claimObj[0]].append(claimObj[1])
else: else:
claims[claimObj["key"]] = claimObj["value"] claims[claimObj[0]] = claimObj[1]
userEntry = UserEntry(id=userId, login=login, expiry=resObj["expiry"], claims=claims) userEntry = UserEntry(id=userObj[0], login=login, pwhash=userObj[1], expiry=userObj[2], claims=claims)
return userEntry, resObj["pwhash"] return userEntry
except mariadb.Error as err: except psycopg2.Error as err:
raise Exception("Error when connecting to database: {}".format(err)) raise Exception("Error when connecting to database: {}".format(err))
finally: finally:
if cur:
cur.close()
if conn: if conn:
conn.rollback()
conn.close() conn.close()
def getUserEntry(application, login, password): def getUserEntry(application, login, password):
userEntry, pwhash = getUserEntryFromDB(application, login) userEntry = getUserEntryFromDB(application, login)
if pwhash != crypt(password, pwhash): if userEntry.pwhash != crypt(password, userEntry.pwhash):
raise PasswordMismatchException() raise PasswordMismatchException()
return userEntry return userEntry
@ -106,28 +111,49 @@ def generateToken(**args):
"iss": JWT_ISSUER, "iss": JWT_ISSUER,
"iat": int(timestamp), "iat": int(timestamp),
"exp": int(timestamp + userEntry.expiry), "exp": int(timestamp + userEntry.expiry),
"sub": str(userEntry.id) "sub": str(userEntry.id),
"aud": application
} }
logger.debug("claims: {}".format(userEntry.claims))
for claim in userEntry.claims.items(): for claim in userEntry.claims.items():
# print("DEBUG: generateToken: add claim {} -> {}".format(claim[0], claim[1])) logger.debug("generateToken: add claim {}".format(claim))
payload[claim[0]] = claim[1] payload[claim[0]] = claim[1]
return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256') return jwt.encode(payload, JWT_PRIV_KEY, algorithm='RS256')
except NoUserException: except NoUserException:
print("ERROR: generateToken: no user found, login or application wrong") logger.error("generateToken: no user found, login or application wrong")
raise werkzeug.exceptions.Unauthorized() raise werkzeug.exceptions.Unauthorized()
except ManyUsersException: except ManyUsersException:
print("ERROR: generateToken: too many users found") logger.error("generateToken: too many users found")
raise werkzeug.exceptions.Unauthorized() raise werkzeug.exceptions.Unauthorized()
except PasswordMismatchException: except PasswordMismatchException:
print("ERROR: generateToken: wrong password") logger.error("generateToken: wrong password")
raise werkzeug.exceptions.Unauthorized() raise werkzeug.exceptions.Unauthorized()
except KeyError: except KeyError:
print("ERROR: generateToken: application, login or password missing") logger.error("generateToken: application, login or password missing")
raise werkzeug.exceptions.Unauthorized() raise werkzeug.exceptions.Unauthorized()
except Exception as e: except Exception as e:
print("ERROR: generateToken: unspecific exception: {}".format(str(e))) logger.error("generateToken: unspecific exception: {}".format(str(e)))
raise werkzeug.exceptions.Unauthorized() raise werkzeug.exceptions.Unauthorized()
def generateTokenFromEnc(**args):
cryptContent = args["body"]
raise werkzeug.exceptions.NotImplemented("Stay tuned, will be added soon")
return str(cryptContent)
def getPubKey(): def getPubKey():
return JWT_PUB_KEY return JWT_PUB_KEY
def decodeToken(token):
try:
return jwt.decode(token, JWT_PUB_KEY, audience="test")
except JWTError as e:
logger.error("decodeToken: {}".format(e))
raise werkzeug.exceptions.Unauthorized()
def getSecret(user, token_info):
return '''
You are user_id {user} and the secret is 'wbevuec'.
Decoded token claims: {token_info}.
'''.format(user=user, token_info=token_info)

2
build.sh
View File

@ -4,5 +4,5 @@ IMAGE_NAME="registry.hottis.de/wolutator/authservice"
VERSION=0.0.1 VERSION=0.0.1
docker build -t ${IMAGE_NAME}:${VERSION} . docker build -t ${IMAGE_NAME}:${VERSION} .
docker push ${IMAGE_NAME}:${VERSION} # docker push ${IMAGE_NAME}:${VERSION}

152
initial-schema.sql
View File

@ -1,111 +1,61 @@
CREATE DATABASE `authservice`; create sequence application_s start with 1 increment by 1;
USE `authservice`; create table application_t (
id integer primary key not null default nextval('application_s'),
name varchar(128) not null unique
);
CREATE TABLE `applications` ( create sequence user_s start with 1 increment by 1;
`id` int(10) unsigned NOT NULL AUTO_INCREMENT, create table user_t (
`name` varchar(128) NOT NULL, id integer primary key not null default nextval('user_s'),
CONSTRAINT PRIMARY KEY (`id`), login varchar(64) not null unique,
CONSTRAINT UNIQUE KEY `uk_applications_name` (`name`) pwhash varchar(64) not null,
) ENGINE=InnoDB; expiry integer not null default 600
);
CREATE TABLE `users` ( create sequence claim_s start with 1 increment by 1;
`id` int(10) unsigned NOT NULL AUTO_INCREMENT, create table claim_t (
`login` varchar(64) NOT NULL, id integer primary key not null default nextval('claim_s'),
`pwhash` varchar(64) NOT NULL, key varchar(64) not null,
`expiry` int(10) unsigned NOT NULL DEFAULT 600, value varchar(64) not null,
CONSTRAINT PRIMARY KEY (`id`), application integer not null references application(id),
CONSTRAINT UNIQUE KEY `uk_users_login` (`login`) unique (key, value)
) ENGINE=InnoDB; );
CREATE TABLE `claims` ( create table user_claim_mapping_t (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT, "user" integer not null references user_t(id),
`key` varchar(64) NOT NULL, claim integer not null references claim_t(id),
`value` varchar(1024) NOT NULL, unique ("user", claim)
CONSTRAINT PRIMARY KEY (`id`), );
CONSTRAINT UNIQUE KEY `uk_claims_key_value` (`key`, `value`)
) ENGINE=InnoDB;
CREATE TABLE `user_claims_mapping` ( create table user_application_mapping_t (
`user` int(10) unsigned NOT NULL, "user" integer not null references user_t(id),
`claim` int(10) unsigned NOT NULL, application integer not null references application_t(id),
CONSTRAINT UNIQUE KEY `uk_user_claims_mapping` (`user`, `claim` ), unique ("user", application)
CONSTRAINT FOREIGN KEY `fk_user_claims_mapping_user` (`user`) );
REFERENCES `users`(`id`),
CONSTRAINT FOREIGN KEY `fk_user_claims_mapping_claim` (`claim`)
REFERENCES `claims`(`id`)
) ENGINE=InnoDB;
CREATE TABLE `user_applications_mapping` ( create or replace view claims_for_user_v as
`user` int(10) unsigned NOT NULL, select u.id as "user",
`application` int(10) unsigned NOT NULL, a.name as application,
CONSTRAINT UNIQUE KEY `uk_user_applications_mapping` (`user`, `application` ), c.key as key,
CONSTRAINT FOREIGN KEY `fk_user_applications_mapping_user` (`user`) c.value as value
REFERENCES `users`(`id`), from user_t u,
CONSTRAINT FOREIGN KEY `fk_user_applications_mapping_application` (`application`) claim_t c,
REFERENCES `applications`(`id`) user_claim_mapping_t m,
) ENGINE=InnoDB; application_t a
where m.user = u.id and
m.claim = c.id and
a.id = c.application;
CREATE OR REPLACE VIEW claims_for_user AS create or replace view user_application_v as
SELECT u.id AS user, select u.login as login,
c.`key` AS `key`, u.pwhash as pwhash,
c.`value` AS `value` u.id as id,
FROM users u, u.expiry as expiry,
claims c,
user_claims_mapping m
WHERE m.user = u.id AND
m.claim = c.id;
CREATE OR REPLACE VIEW user_application AS
SELECT u.login AS login,
u.pwhash AS pwhash,
u.id AS id,
u.expiry AS expiry,
a.name as application a.name as application
FROM users u, from user_t u,
applications a, application_t a,
user_applications_mapping m user_application_mapping_t m
WHERE u.id = m.user AND where u.id = m.user and
a.id = m.application; a.id = m.application;
CREATE USER 'authservice-ui'@'%' IDENTIFIED BY 'test123';
GRANT SELECT ON `user_application` TO 'authservice-ui'@'%';
GRANT SELECT ON `claims_for_user` TO 'authservice-ui'@'%';
CREATE USER 'authservice-cli'@'%' IDENTIFIED BY 'test123';
GRANT INSERT ON `users` TO 'authservice-cli'@'%';
GRANT INSERT ON `user_applications_mapping` TO 'authservice-cli'@'%';
FLUSH PRIVILEGES;
INSERT INTO `applications` (`name`) VALUES ('hv');
INSERT INTO `claims` (`key`, `value`) VALUES ('accesslevel', 'r');
INSERT INTO `claims` (`key`, `value`) VALUES ('accesslevel', 'rw');
-- password is 'test123'
INSERT INTO `users` (`login`, `pwhash`) VALUES ('wn', '$p5k2$186a0$dJXL0AjF$0HualDF92nyilDXPgSbaUn/UpFzSrpPx');
INSERT INTO `user_applications_mapping` (`user`, `application`)
VALUES(
(SELECT `id` FROM `users` WHERE `login` = 'wn'),
(SELECT `id` FROM `applications` WHERE `name` = 'hv')
);
INSERT INTO `user_claims_mapping` (`user`, `claim`)
VALUES(
(SELECT `id` FROM `users` WHERE `login` = 'wn'),
(SELECT `id` FROM `claims` WHERE `key` = 'accesslevel' AND `value` = 'rw')
);
-- password is 'geheim'
INSERT INTO `users` (`login`, `pwhash`) VALUES ('gregor', '$p5k2$186a0$Tcwps8Ar$TsypGB.y1dCB9pWOPz2X2SsxYqrTn3Fv');
INSERT INTO `user_applications_mapping` (`user`, `application`)
VALUES(
(SELECT `id` FROM `users` WHERE `login` = 'gregor'),
(SELECT `id` FROM `applications` WHERE `name` = 'hv')
);
INSERT INTO `user_claims_mapping` (`user`, `claim`)
VALUES(
(SELECT `id` FROM `users` WHERE `login` = 'gregor'),
(SELECT `id` FROM `claims` WHERE `key` = 'accesslevel' AND `value` = 'rw')
);

25
openapi.yaml
View File

@ -7,7 +7,7 @@ paths:
/auth: /auth:
post: post:
tags: [ "JWT" ] tags: [ "JWT" ]
summary: Return JWT token summary: Accept login and password, return JWT token
operationId: auth.generateToken operationId: auth.generateToken
requestBody: requestBody:
content: content:
@ -21,11 +21,28 @@ paths:
'text/plain': 'text/plain':
schema: schema:
type: string type: string
/authe:
post:
tags: [ "JWT" ]
summary: Accept encrypted set of credentials, return JWT token
operationId: auth.generateTokenFromEnc
requestBody:
content:
'text/plain':
schema:
type: string
responses:
'200':
description: JWT token
content:
'text/plain':
schema:
type: string
/secret: /secret:
get: get:
tags: [ "JWT" ] tags: [ "Test" ]
summary: Return secret string summary: Return secret string
operationId: test.getSecret operationId: auth.getSecret
responses: responses:
'200': '200':
description: secret response description: secret response
@ -55,7 +72,7 @@ components:
type: http type: http
scheme: bearer scheme: bearer
bearerFormat: JWT bearerFormat: JWT
x-bearerInfoFunc: test.decodeToken x-bearerInfoFunc: auth.decodeToken
schemas: schemas:
User: User:
description: Application/Login/Password tuple description: Application/Login/Password tuple

24
test.py
View File

@ -1,20 +1,8 @@
from jose import JWTError, jwt import connexion
import os import logging
import werkzeug
logging.basicConfig(level=logging.INFO)
JWT_SECRET = os.environ['JWT_SECRET'] app = connexion.App('authservice')
app.add_api('./openapi.yaml')
def decodeToken(token): app.run(port=8080)
try:
return jwt.decode(token, JWT_SECRET)
except JWTError as e:
print("ERROR: decodeToken: {}".format(e))
raise werkzeug.exceptions.Unauthorized()
def getSecret(user, token_info):
return '''
You are user_id {user} and the secret is 'wbevuec'.
Decoded token claims: {token_info}.
'''.format(user=user, token_info=token_info)

9
testjwe.py Normal file
View File

@ -0,0 +1,9 @@
from jose import jwe
JWT_PUB_KEY = os.environ["JWT_PUB_KEY"]
plainText = "BlaBlaBla123"
cryptText = jwe.encrypt(plainText, JWT_PUB_KEY, "A256GCM", "RSA-OAEP")
print(cryptText)