ungleich-otp/README.md

222 lines
5.7 KiB
Markdown
Raw Normal View History

2018-11-18 13:33:30 +00:00
# ungleichotp #
2018-10-26 16:31:36 +00:00
ungleich-otp is a full blown authentication and authorisation service
made for micro services.
2018-10-26 17:22:17 +00:00
2018-11-18 13:33:30 +00:00
The basic idea is that every micro service has a (long term) triple
constisting of (name, realm, seed) and creates time based tokens.
2018-12-24 19:28:21 +00:00
This basically revamps Kerberos in a simple way into the web area.
2018-11-18 13:33:30 +00:00
ungleichotp has been created and is maintained by [ungleich](https://ungleich.ch/).
Related documentation:
* [Python pyotp](https://pyotp.readthedocs.io/)
* [RFC6238, TOTP](https://tools.ietf.org/html/rfc6238)
* [RFC4120, Kerberos](https://tools.ietf.org/html/rfc4120)
2018-12-24 19:46:54 +00:00
## Overview ##
2018-11-18 13:33:30 +00:00
2019-02-08 19:00:28 +00:00
This repository the reference implementation of the ungleichotp server.
2018-10-26 17:22:17 +00:00
## Using the ungleichotpclient ##
2019-02-08 19:00:28 +00:00
The client can be used to test the ungleich-otp-server.
All client commands need the parameters --auth-name and --auth-realm.
Also either --auth-seed or --auth-token needs to be specified.
```
python manage.py ungleichotpclient create \
--server-url https://otp.ungleich.ch/ungleichotp/
--auth-name admin
--auth-realm ungleich-admin
[--auth-seed THESEEDFORADMIN]
[--auth-token THECURRENTTOKEN]
```
2018-12-24 19:28:21 +00:00
### Creating new users
2018-10-26 17:36:34 +00:00
```
2019-02-08 19:00:28 +00:00
--name USERNAME --realm REALMOFUSER create
```
2019-02-08 19:00:28 +00:00
The seed is randomly created.
2019-02-08 19:00:28 +00:00
### Listing users
```
2019-02-08 19:00:28 +00:00
list
```
2019-02-08 19:00:28 +00:00
### Deleting users
```
2019-02-08 19:00:28 +00:00
--name USERNAME --realm REALMOFUSER delete
```
2018-10-26 17:36:34 +00:00
2019-02-08 19:00:28 +00:00
### Verifying a token is correct
2018-12-24 19:46:54 +00:00
2019-02-08 19:00:28 +00:00
Verify using:
```
2019-02-08 19:00:28 +00:00
--name USERNAME --realm REALMOFUSER --token TOKENTOBEVERIFIED verify
```
2019-02-08 19:00:28 +00:00
You can also verify using a seed:
```
2019-02-08 19:00:28 +00:00
--name USERNAME --realm REALMOFUSER --seed SEEDOFUSER verify
```
2018-12-24 19:46:54 +00:00
## Server Setup instructions ##
This is a standard django project and thus can be easily setup using
2018-10-26 17:22:17 +00:00
```
2018-12-24 19:46:54 +00:00
pip install -r requirements.txt
python manage.py createsuperuser
python manage.py runserver
```
2018-10-26 17:22:17 +00:00
2018-10-26 17:45:36 +00:00
## Realms ##
2018-10-26 17:45:36 +00:00
Access is granting/denied based on realms. There are two reserved
realms, all other realms can be used by the users:
2018-10-26 17:45:36 +00:00
2018-11-17 08:51:06 +00:00
### Reserved realms
Conceptually the realms "ungleich-admin" and "ungleich-auth" are
reserved for higher priviliged applications.
Usually there is only 1 entry in ungleich-admin that is used to
bootstrap and manage ungleich-otp.
All micro services that are trusted to authenticate another micro
service should have an entry in the ungleich-auth realm, which allows
them to verify a token of somebody else.
2019-02-08 19:00:28 +00:00
```
2018-11-17 08:51:06 +00:00
| Name | Capabilities |
|------------------+--------------------------------------------|
| ungleich-admin | authenticate, create, delete, list, update |
2019-03-13 23:56:49 +00:00
| ungleich-auth | authenticate, verify |
| all other realms | authenticate |
2019-02-08 19:00:28 +00:00
```
2018-10-26 17:22:17 +00:00
2018-12-24 19:46:54 +00:00
## Verify using http POST ##
2018-11-18 13:33:30 +00:00
2018-12-24 19:46:54 +00:00
Post a JSON object to the server at /ungleichotp/verify/ that
contains the following elements:
2018-11-18 13:33:30 +00:00
Request JSON object:
```
{
2019-06-08 07:36:55 +00:00
auth_name: "auth-name",
auth_realm: "auth-realm",
2019-06-07 18:06:17 +00:00
auth_token: "current time based token",
name: "name that wants to be authenticated",
realm: "realm that wants to be authenticated",
token: "token that wants to be authenticated"
2018-11-18 13:33:30 +00:00
}
```
Response JSON object:
Either HTTP 200 with
```
{
status: "OK",
}
```
OR return code 403:
* If token for authenticating is wrong, you get
```
{"detail":"Incorrect authentication credentials."}
```
* If token that is being verified is wrong, you get
```
{"detail":"You do not have permission to perform this action."}
```
2018-12-24 19:46:54 +00:00
## Authorize the request ##
2018-11-18 13:33:30 +00:00
From the ungleichotp-server, you get a validated information that a
name on a realm authenticated successfully. The associated permissions
("authorization") is application specific and needs to be decided by
your application.
2018-11-18 14:41:47 +00:00
## Limitations ##
2019-02-08 19:00:28 +00:00
* Name, Realm and seed are hard coded to 128 bytes length.
This can be changed, if necessary.
2018-11-18 14:41:47 +00:00
* Only python3 support for ungleichotp
2018-11-17 17:48:12 +00:00
## TODOs
2018-11-18 13:33:30 +00:00
- [x] (server) Serialize / input request
- [x] (server) Make seed read only
- [x] (server) Implement registering of new entries
- [x] (server) OTPSerializer: allow to read seed for admin
- [x] (server) Implement deleting entry
- [x] (server) Include verify in ModelSerializer
- [x] (server) Map name+realm == User (?)
2018-11-17 20:45:53 +00:00
- name == name@realm
- password is used for admin login (?)
2018-11-17 20:45:53 +00:00
- seed
- custom auth method
2018-11-18 13:33:30 +00:00
- [n] (server) Try to fake username for django based on name+realm (?)
- No need
- [n] (server) maybe overwrite get_username()
- No need
- [x] (server) Use Custom authentication - needs to have a user!
- [x] (server) Implement creating new "User" by POST / Model based
- [n] (server) Remove hard coded JSON in /verify (no - good enough for the moment)
2018-11-18 14:41:47 +00:00
- [x] (server) Fully rename server from ungleichotp to ungleichotpserver
2019-02-08 19:00:28 +00:00
- [x] (security) Ensure that only the right realms can verify
- [x] (security) Ensure that only the right realms can manage
2018-11-18 14:41:47 +00:00
- [ ] (doc) Add proper documentation
2018-11-18 13:33:30 +00:00
- [ ] (server) Add tests for verify
- [ ] (server) Add tests for authentication
- [ ] (server) move totp constants into settings
- [ ] (server) move field lengths into settings
2018-11-18 14:41:47 +00:00
- [ ] (server) Document how admin vs. rest works
2018-11-18 13:33:30 +00:00
- [ ] (server, client) Make settings adjustable by environment - k8s/docker compatible
- [ ] (server, client) Read DB from outside (?) (fallback to sqlite)
2018-11-18 14:41:47 +00:00
- [x] (client) Establish auth using urllib
- [ ] (client) Bootstrap Django + DRF (including an object for CRUD)
- [ ] (client) Add custom authentication / remote auth
- [ ] (client) Show case: any realm vs. specific realm
2019-02-08 19:00:28 +00:00
- [x] (library) Write a "client library" that can use ungleichotp
- [x] (library) extract generic parts from server
2018-11-18 13:33:30 +00:00
- [ ] (library) upload to pypi
2018-11-18 12:24:09 +00:00
## Changelog
2018-11-18 12:24:09 +00:00
2019-02-08 19:00:28 +00:00
### 0.8, 2019-02-08
* Verify needed to call super()
2018-11-18 12:42:16 +00:00
### 0.6, 2018-11-18
* Reuse TokenSerializer for VerifySerializer logic
2018-11-18 12:24:09 +00:00
### 0.5, 2018-11-18
* Require authentication on all rest endpoints by token