ungleich-otp/README.md

# ungleichotp #

ungleich-otp is a full blown authentication and authorisation service
made for micro services.

The basic idea is that every micro service has a (long term) triple
constisting of (name, realm, seed) and creates time based tokens.

This basically revamps Kerberos in a simple way into the web area.

ungleichotp has been created and is maintained by [ungleich](https://ungleich.ch/).

Related documentation:

* [Python pyotp](https://pyotp.readthedocs.io/)
* [RFC6238, TOTP](https://tools.ietf.org/html/rfc6238)
* [RFC4120, Kerberos](https://tools.ietf.org/html/rfc4120)

## Overview ##

This repository the reference implementation of the ungleichotp
server.


## Using the ungleichotpclient ##

All client commands need the parameters --auth-name and --auth-realm.
Also either --auth-seed or --auth-token needs to be specified.
```
python manage.py ungleichotpclient create \
    --server-url https://otp.ungleich.ch/ungleichotp/
    --auth-name admin
    --auth-realm ungleich-admin
    [--auth-seed THESEEDFORADMIN]
    [--auth-token THECURRENTTOKEN]
```

### Creating new users

```
--name USERNAME --realm REALMOFUSER --token TOKENTOBEVERIFIED verify
```

### Verifying a token is correct

Verify using:

```
--name USERNAME --realm REALMOFUSER --token TOKENTOBEVERIFIED verify
```

You can also verify using a seed:

```
--name USERNAME --realm REALMOFUSER --seed SEEDOFUSER verify
```


## Sample 2018-12-30

create:
(venv) [23:07] line:ungleich-otp% python manage.py ungleichotpclient create --server-url http://localhost:8000/ungleichotp/ --auth-name info@ungleich.ch --auth-realm ungleich-admin --auth-seed PZKBPTHDGSLZBKIZ  --name nico$(date +%s) --realm ungleich-admin

verify:

```
(venv) [23:07] line:ungleich-otp% python manage.py ungleichotpclient verify --server-url http://localhost:8000/ungleichotp/ --auth-name info@ungleich.ch --auth-realm ungleich-admin --auth-seed PZKBPTHDGSLZBKIZ  --name nico1546206660 --realm ungleich-admin --seed IXTARIU4H2F574M3
```

list:

```
(venv) [23:14] line:ungleich-otp% python manage.py ungleichotpclient list --server-url http://localhost:8000/ungleichotp/ --auth-name info@ungleich.ch --auth-realm ungleich-admin --auth-seed PZKBPTHDGSLZBKIZ
```


## Server Setup instructions ##

This is a standard django project and thus can be easily setup using

```
pip install -r requirements.txt
python manage.py createsuperuser
python manage.py runserver
```


## Realms ##

Access is granting/denied based on realms. There are two reserved
realms, all other realms can be used by the users:

### Reserved realms

Conceptually the realms "ungleich-admin" and "ungleich-auth" are
reserved for higher priviliged applications.

Usually there is only 1 entry in ungleich-admin that is used to
bootstrap and manage ungleich-otp.

All micro services that are trusted to authenticate another micro
service should have an entry in the ungleich-auth realm, which allows
them to verify a token of somebody else.


| Name             | Capabilities                               |
|------------------+--------------------------------------------|
| ungleich-admin   | authenticate, create, delete, list, update |
| ungleich-auth    | authenticate                               |
| all other realms | NO ACCESS                                  |


## Verify using http POST  ##

Post a JSON object to the server at /ungleichotp/verify/ that
contains the following elements:

Request JSON object:

```
{
    name: "your-name",
    realm: "your-realm",
    token: "current time based token",
    verifyname: "name that wants to be authenticated",
    verifyrealm: "realm that wants to be authenticated",
    verifytoken: "token that wants to be authenticated",
}
```

Response JSON object:

Either HTTP 200 with
```
{
    status: "OK",
}
```

OR return code 403:

* If token for authenticating is wrong, you get

```
{"detail":"Incorrect authentication credentials."}
```

* If token that is being verified is wrong, you get

```
{"detail":"You do not have permission to perform this action."}
```

## Authorize the request ##

From the ungleichotp-server, you get a validated information that a
name on a realm authenticated successfully. The associated permissions
("authorization") is application specific and needs to be decided by
your application.


## Limitations ##

* Name, Realm and seed are hard coded to 128 bytes length. This can be
  changed, if necessary.
* Only python3 support for ungleichotp


## TODOs

- [x] (server) Serialize / input request
- [x] (server) Make seed read only
- [x] (server) Implement registering of new entries
- [x] (server) OTPSerializer: allow to read seed for admin
- [x] (server) Implement deleting entry
- [x] (server) Include verify in ModelSerializer
- [x] (server) Map name+realm == User (?)
  - name == name@realm
  - password is used for admin login (?)
  - seed
  - custom auth method
- [n] (server) Try to fake username for django based on name+realm (?)
  - No need
- [n] (server) maybe overwrite get_username()
  - No need
- [x] (server) Use Custom authentication  - needs to have a user!
- [x] (server) Implement creating new "User" by POST / Model based
- [n] (server) Remove hard coded JSON in /verify (no - good enough for the moment)
- [x] (server) Fully rename server from ungleichotp to ungleichotpserver
- [ ] (security) Ensure that only the right realms can verify
- [ ] (security) Ensure that only the right realms can manage
- [ ] (doc) Add proper documentation
- [ ] (server) Add tests for verify
- [ ] (server) Add tests for authentication
- [ ] (server) move totp constants into settings
- [ ] (server) move field lengths into settings
- [ ] (server) Document how admin vs. rest works
- [ ] (server, client) Make settings adjustable by environment - k8s/docker compatible
- [ ] (server, client) Read DB from outside (?) (fallback to sqlite)
- [x] (client) Establish auth using urllib
- [ ] (client) Bootstrap Django + DRF (including an object for CRUD)
- [ ] (client) Add custom authentication / remote auth
- [ ] (client) Show case: any realm vs. specific realm
- [ ] (library) Write a "client library" that can use ungleichotp
- [ ] (library) extract generic parts from server
- [ ] (library) upload to pypi


## Changelog

### 0.6, 2018-11-18

* Reuse TokenSerializer for VerifySerializer logic

### 0.5, 2018-11-18

* Require authentication on all rest endpoints by token
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`# ungleichotp #`
Initial commit 2018-10-26 16:31:36 +00:00
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			`ungleich-otp is a full blown authentication and authorisation service`
			`made for micro services.`
Add hacky/early version README 2018-10-26 17:22:17 +00:00
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`The basic idea is that every micro service has a (long term) triple`
			`constisting of (name, realm, seed) and creates time based tokens.`

Update 2018-12-24 19:28:21 +00:00			`This basically revamps Kerberos in a simple way into the web area.`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00
			`ungleichotp has been created and is maintained by [ungleich](https://ungleich.ch/).`

			`Related documentation:`

			`* [Python pyotp](https://pyotp.readthedocs.io/)`
			`* [RFC6238, TOTP](https://tools.ietf.org/html/rfc6238)`
			`* [RFC4120, Kerberos](https://tools.ietf.org/html/rfc4120)`

Cleanup 2018-12-24 19:46:54 +00:00			`## Overview ##`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00
In between hacking commit Trying to rip out the auth part 2018-12-30 21:30:11 +00:00			`This repository the reference implementation of the ungleichotp`
			`server.`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00

Add hacky/early version README 2018-10-26 17:22:17 +00:00
In between hacking commit Trying to rip out the auth part 2018-12-30 21:30:11 +00:00
			`## Using the ungleichotpclient ##`

Update doc, run actual authentication on verify 2019-02-08 18:25:07 +00:00			`All client commands need the parameters --auth-name and --auth-realm.`
			`Also either --auth-seed or --auth-token needs to be specified.`
In between hacking commit Trying to rip out the auth part 2018-12-30 21:30:11 +00:00			```
			`python manage.py ungleichotpclient create \`
			`--server-url https://otp.ungleich.ch/ungleichotp/`
Update doc, run actual authentication on verify 2019-02-08 18:25:07 +00:00			`--auth-name admin`
			`--auth-realm ungleich-admin`
			`[--auth-seed THESEEDFORADMIN]`
			`[--auth-token THECURRENTTOKEN]`
In between hacking commit Trying to rip out the auth part 2018-12-30 21:30:11 +00:00			```
Update 2018-12-24 19:28:21 +00:00
Update doc, run actual authentication on verify 2019-02-08 18:25:07 +00:00			`### Creating new users`
Add status 2018-10-26 17:36:34 +00:00
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			```
Update doc, run actual authentication on verify 2019-02-08 18:25:07 +00:00			`--name USERNAME --realm REALMOFUSER --token TOKENTOBEVERIFIED verify`
			```

			`### Verifying a token is correct`

			`Verify using:`

			```
			`--name USERNAME --realm REALMOFUSER --token TOKENTOBEVERIFIED verify`
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			```

In between hacking commit Trying to rip out the auth part 2018-12-30 21:30:11 +00:00			`You can also verify using a seed:`
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00
			```
Update doc, run actual authentication on verify 2019-02-08 18:25:07 +00:00			`--name USERNAME --realm REALMOFUSER --seed SEEDOFUSER verify`
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			```
Add status 2018-10-26 17:36:34 +00:00
Update doc, run actual authentication on verify 2019-02-08 18:25:07 +00:00
Cleanup 2018-12-24 19:46:54 +00:00
Fix auth! ungleich-admin can do anything, but verify ungleich-auth can only verify rest cannot login 2018-12-30 23:46:29 +00:00			`## Sample 2018-12-30`

			`create:`
			`(venv) [23:07] line:ungleich-otp% python manage.py ungleichotpclient create --server-url http://localhost:8000/ungleichotp/ --auth-name info@ungleich.ch --auth-realm ungleich-admin --auth-seed PZKBPTHDGSLZBKIZ --name nico$(date +%s) --realm ungleich-admin`

			`verify:`

			```
			`(venv) [23:07] line:ungleich-otp% python manage.py ungleichotpclient verify --server-url http://localhost:8000/ungleichotp/ --auth-name info@ungleich.ch --auth-realm ungleich-admin --auth-seed PZKBPTHDGSLZBKIZ --name nico1546206660 --realm ungleich-admin --seed IXTARIU4H2F574M3`
			```

			`list:`

			```
			`(venv) [23:14] line:ungleich-otp% python manage.py ungleichotpclient list --server-url http://localhost:8000/ungleichotp/ --auth-name info@ungleich.ch --auth-realm ungleich-admin --auth-seed PZKBPTHDGSLZBKIZ`
			```


Cleanup 2018-12-24 19:46:54 +00:00			`## Server Setup instructions ##`

			`This is a standard django project and thus can be easily setup using`
Add hacky/early version README 2018-10-26 17:22:17 +00:00
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			```
Cleanup 2018-12-24 19:46:54 +00:00			`pip install -r requirements.txt`
			`python manage.py createsuperuser`
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			`python manage.py runserver`
			```
Add hacky/early version README 2018-10-26 17:22:17 +00:00
++ API 2018-10-26 17:45:36 +00:00
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			`## Realms ##`
++ API 2018-10-26 17:45:36 +00:00
Begin integration of django rest framework 2018-11-17 00:11:17 +00:00			`Access is granting/denied based on realms. There are two reserved`
			`realms, all other realms can be used by the users:`
++ API 2018-10-26 17:45:36 +00:00
Introduce realms in documentation 2018-11-17 08:51:06 +00:00			`### Reserved realms`

			`Conceptually the realms "ungleich-admin" and "ungleich-auth" are`
			`reserved for higher priviliged applications.`

			`Usually there is only 1 entry in ungleich-admin that is used to`
			`bootstrap and manage ungleich-otp.`

			`All micro services that are trusted to authenticate another micro`
			`service should have an entry in the ungleich-auth realm, which allows`
			`them to verify a token of somebody else.`


			`\| Name \| Capabilities \|`
			`\|------------------+--------------------------------------------\|`
			`\| ungleich-admin \| authenticate, create, delete, list, update \|`
			`\| ungleich-auth \| authenticate \|`
			`\| all other realms \| NO ACCESS \|`

Begin integration of django rest framework 2018-11-17 00:11:17 +00:00
Add hacky/early version README 2018-10-26 17:22:17 +00:00
Cleanup 2018-12-24 19:46:54 +00:00			`## Verify using http POST ##`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00
Cleanup 2018-12-24 19:46:54 +00:00			`Post a JSON object to the server at /ungleichotp/verify/ that`
			`contains the following elements:`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00
			`Request JSON object:`

			```
			`{`
			`name: "your-name",`
			`realm: "your-realm",`
			`token: "current time based token",`
			`verifyname: "name that wants to be authenticated",`
			`verifyrealm: "realm that wants to be authenticated",`
			`verifytoken: "token that wants to be authenticated",`
			`}`
			```

			`Response JSON object:`

			`Either HTTP 200 with`
			```
			`{`
			`status: "OK",`
			`}`
			```

			`OR return code 403:`

			`* If token for authenticating is wrong, you get`

			```
			`{"detail":"Incorrect authentication credentials."}`
			```

			`* If token that is being verified is wrong, you get`

			```
			`{"detail":"You do not have permission to perform this action."}`
			```

Cleanup 2018-12-24 19:46:54 +00:00			`## Authorize the request ##`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00
			`From the ungleichotp-server, you get a validated information that a`
			`name on a realm authenticated successfully. The associated permissions`
			`("authorization") is application specific and needs to be decided by`
			`your application.`


Phase in ungleichotp 2018-11-18 14:41:47 +00:00			`## Limitations ##`

			`* Name, Realm and seed are hard coded to 128 bytes length. This can be`
			`changed, if necessary.`
			`* Only python3 support for ungleichotp`


Can verify token 2018-11-17 17:48:12 +00:00			`## TODOs`

Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`- [x] (server) Serialize / input request`
			`- [x] (server) Make seed read only`
			`- [x] (server) Implement registering of new entries`
			`- [x] (server) OTPSerializer: allow to read seed for admin`
			`- [x] (server) Implement deleting entry`
			`- [x] (server) Include verify in ModelSerializer`
			`- [x] (server) Map name+realm == User (?)`
Update readme, auth ideas 2018-11-17 20:45:53 +00:00			`- name == name@realm`
Begin to phase in custom authentication 2018-11-18 11:38:50 +00:00			`- password is used for admin login (?)`
Update readme, auth ideas 2018-11-17 20:45:53 +00:00			`- seed`
			`- custom auth method`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`- [n] (server) Try to fake username for django based on name+realm (?)`
			`- No need`
			`- [n] (server) maybe overwrite get_username()`
			`- No need`
			`- [x] (server) Use Custom authentication - needs to have a user!`
			`- [x] (server) Implement creating new "User" by POST / Model based`
			`- [n] (server) Remove hard coded JSON in /verify (no - good enough for the moment)`
Phase in ungleichotp 2018-11-18 14:41:47 +00:00			`- [x] (server) Fully rename server from ungleichotp to ungleichotpserver`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`- [ ] (security) Ensure that only the right realms can verify`
			`- [ ] (security) Ensure that only the right realms can manage`
Phase in ungleichotp 2018-11-18 14:41:47 +00:00			`- [ ] (doc) Add proper documentation`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`- [ ] (server) Add tests for verify`
			`- [ ] (server) Add tests for authentication`
			`- [ ] (server) move totp constants into settings`
			`- [ ] (server) move field lengths into settings`
Phase in ungleichotp 2018-11-18 14:41:47 +00:00			`- [ ] (server) Document how admin vs. rest works`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`- [ ] (server, client) Make settings adjustable by environment - k8s/docker compatible`
			`- [ ] (server, client) Read DB from outside (?) (fallback to sqlite)`
Phase in ungleichotp 2018-11-18 14:41:47 +00:00			`- [x] (client) Establish auth using urllib`
			`- [ ] (client) Bootstrap Django + DRF (including an object for CRUD)`
			`- [ ] (client) Add custom authentication / remote auth`
			`- [ ] (client) Show case: any realm vs. specific realm`
Be python friendly, don't use dashes 2018-11-18 13:33:30 +00:00			`- [ ] (library) Write a "client library" that can use ungleichotp`
			`- [ ] (library) extract generic parts from server`
			`- [ ] (library) upload to pypi`
Require authentication on all rest endpoints 2018-11-18 12:10:51 +00:00
++ doc, begin improving serializers 2018-11-18 12:24:09 +00:00

Require authentication on all rest endpoints 2018-11-18 12:10:51 +00:00			`## Changelog`
++ doc, begin improving serializers 2018-11-18 12:24:09 +00:00
Cleanup dev code 2018-11-18 12:42:16 +00:00			`### 0.6, 2018-11-18`

			`* Reuse TokenSerializer for VerifySerializer logic`

++ doc, begin improving serializers 2018-11-18 12:24:09 +00:00			`### 0.5, 2018-11-18`

			`* Require authentication on all rest endpoints by token`