ungleich-otp/README.md

306 lines
5.5 KiB
Markdown
Raw Normal View History

2018-10-26 16:31:36 +00:00
# ungleich-otp
ungleich-otp is a full blown authentication and authorisation service
made for micro services.
2018-10-26 17:22:17 +00:00
The basic idea is that every micro service has a (long term) seed and
2018-11-17 10:39:42 +00:00
creates time based tokens (See python pyotp, RFC4226, RFC6238).
2018-10-26 17:22:17 +00:00
## Setup instructions ##
2018-10-26 17:22:17 +00:00
This is a standard django project and thus can be easily setup using
2018-10-26 17:36:34 +00:00
```
pip install -r requirements.txt
```
To bootstrap the application, you need your very first trusted seed to
access the application. You can generate it using
```
to be filled in
```
2018-10-26 17:36:34 +00:00
After that, you can run the application using
2018-10-26 17:22:17 +00:00
```
python manage.py runserver
```
2018-10-26 17:22:17 +00:00
The usual instructions on how to setup an https proxy should be followed.
2018-10-26 17:45:36 +00:00
## Realms ##
2018-10-26 17:45:36 +00:00
Access is granting/denied based on realms. There are two reserved
realms, all other realms can be used by the users:
2018-10-26 17:45:36 +00:00
2018-11-17 08:51:06 +00:00
### Reserved realms
Conceptually the realms "ungleich-admin" and "ungleich-auth" are
reserved for higher priviliged applications.
Usually there is only 1 entry in ungleich-admin that is used to
bootstrap and manage ungleich-otp.
All micro services that are trusted to authenticate another micro
service should have an entry in the ungleich-auth realm, which allows
them to verify a token of somebody else.
| Name | Capabilities |
|------------------+--------------------------------------------|
| ungleich-admin | authenticate, create, delete, list, update |
| ungleich-auth | authenticate |
| all other realms | NO ACCESS |
## Usage: REST ##
- Use an existing token to connect to the service
- All REST based messages: JSON
2018-11-17 18:00:48 +00:00
### POST: /ungleichotp/verify
Request JSON object:
2018-10-26 17:48:15 +00:00
```
{
version: "1",
2018-11-17 10:39:42 +00:00
name: "your-name",
realm: "your-realm",
token: "current time based token",
2018-11-17 10:39:42 +00:00
verifyname: "name that wants to be authenticated",
verifyrealm: "realm that wants to be authenticated",
verifytoken: "token that wants to be authenticated",
2018-10-26 17:48:15 +00:00
}
```
Response JSON object:
2018-10-26 17:48:15 +00:00
Either
2018-10-26 17:48:15 +00:00
```
{
status: "OK",
2018-10-26 17:48:15 +00:00
}
```
OR
2018-10-26 17:48:15 +00:00
```
{
status: "FAIL",
}
```
2018-10-26 17:50:56 +00:00
### POST /register
2018-10-26 17:45:36 +00:00
Register a new seed. Returns an app ID.
2018-10-26 17:45:36 +00:00
2018-10-26 17:48:15 +00:00
Request JSON object:
2018-10-26 17:45:36 +00:00
```
{
version: "1",
2018-10-26 19:48:21 +00:00
appuuid: "your-app-uuid",
2018-10-26 17:45:36 +00:00
token: "current time based token",
username: "user this app belongs to",
appname: "name of your web app"
2018-10-26 17:45:36 +00:00
}
```
2018-10-26 17:48:15 +00:00
Response JSON object:
```
{
status: "OK",
appuuid: "UUID of your app",
2018-10-26 17:48:15 +00:00
}
```
OR
```
{
status: "FAIL",
error: "Reason for failure"
2018-10-26 17:48:15 +00:00
}
```
2018-10-26 17:22:17 +00:00
### POST /app/register
Register a new app. Returns an app ID.
2018-10-26 17:31:18 +00:00
Request JSON object:
2018-10-27 10:09:05 +00:00
```
2018-10-26 17:31:18 +00:00
{
2018-10-26 17:34:17 +00:00
version: "1",
2018-10-26 19:48:21 +00:00
appuuid: "your-app-uuid",
2018-10-26 17:34:17 +00:00
token: "current time based token",
username: "user this app belongs to",
appname: "name of your web app"
2018-10-26 17:31:18 +00:00
}
2018-10-27 10:09:05 +00:00
```
2018-10-26 17:31:18 +00:00
Response JSON object:
2018-10-26 17:50:56 +00:00
```
2018-10-26 17:31:18 +00:00
{
2018-10-26 17:50:56 +00:00
status: "OK",
2018-10-26 19:48:21 +00:00
appuuid: "UUID of your app",
2018-10-26 17:31:18 +00:00
}
2018-10-26 17:50:56 +00:00
```
2018-10-26 17:31:18 +00:00
2018-10-26 17:50:56 +00:00
OR
```
{
status: "FAIL",
error: "Reason for failure"
}
```
2018-10-26 17:31:18 +00:00
2018-10-26 17:22:17 +00:00
### GET /app
List all registered apps for the current user.
2018-10-26 17:31:18 +00:00
Request JSON object:
2018-10-27 10:09:05 +00:00
```
2018-10-26 17:31:18 +00:00
{
2018-10-26 17:34:17 +00:00
version: "1",
2018-10-26 19:48:21 +00:00
appuuid: "your-app-uuid",
2018-10-26 17:31:18 +00:00
token: "current time based token"
}
2018-10-27 10:09:05 +00:00
```
2018-10-26 17:31:18 +00:00
Response JSON object:
2018-10-26 17:22:17 +00:00
2018-10-26 17:51:33 +00:00
```
2018-10-26 17:50:56 +00:00
{
status: "OK",
apps: [
{
name: "name of your web app"
2018-10-26 19:48:21 +00:00
appuuid: "UUID of your app",
2018-10-26 17:50:56 +00:00
},
{
name: "name of your second web app"
2018-10-26 19:48:21 +00:00
appuuid: "UUID of your second app",
2018-10-26 17:50:56 +00:00
}
]
}
2018-10-26 17:51:33 +00:00
```
2018-10-26 17:31:18 +00:00
### GET /app/UUID
2018-10-26 17:22:17 +00:00
Get seed for APP to be used as a token
2018-10-26 17:31:18 +00:00
Request JSON object:
2018-10-26 17:51:33 +00:00
```
2018-10-26 17:31:18 +00:00
{
2018-10-26 17:34:17 +00:00
version: "1",
2018-10-26 19:48:21 +00:00
appuuid: "your-app-uuid",
2018-10-26 17:31:18 +00:00
token: "current time based token"
}
2018-10-26 17:51:33 +00:00
```
2018-10-26 17:31:18 +00:00
Response JSON object:
2018-10-26 17:51:33 +00:00
```
2018-10-26 17:31:18 +00:00
{
2018-10-26 17:51:33 +00:00
status: "OK",
2018-10-26 17:31:18 +00:00
seed: "seed of your app"
}
2018-10-26 17:51:33 +00:00
```
2018-10-26 17:22:17 +00:00
2018-10-26 17:45:36 +00:00
2018-10-26 17:22:17 +00:00
## Usage: OTP
The seeds that you receive can be used for TOTP to authenticate your
apps.
## Database
2018-10-26 19:48:21 +00:00
The database saves a list of appuuids with their seeds and the user
assignments as well as whether the appuuid might use the BUS interface.
2018-10-26 17:22:17 +00:00
Fields:
2018-10-26 19:48:21 +00:00
- appuuid (a random UUID)
2018-10-26 17:22:17 +00:00
- appname (name chosen by the user)
2018-10-26 19:48:21 +00:00
- username (who this appuuid belongs to)
2018-10-26 17:22:17 +00:00
- seed (a random base32 string)
2018-10-26 19:48:21 +00:00
- trusted (boolean, whether app is allowed to use the BUS and the
verify method)
## Environment / Configuration
- POSTGRES_USERNAME
- SECRET_KEY -- random
## Random notes / stuff
django.db.backends.postgresql
django.contrib.admin
2018-10-27 10:09:05 +00:00
```
2018-10-26 19:48:21 +00:00
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': 'mydatabase',
'USER': 'mydatabaseuser',
'PASSWORD': 'mypassword',
'HOST': '127.0.0.1',
'PORT': '5432',
}
}
2018-10-27 10:09:05 +00:00
```
2018-11-17 17:48:12 +00:00
2018-11-17 18:00:48 +00:00
Custom auth
```
from django.contrib.auth.models import User
from rest_framework import authentication
from rest_framework import exceptions
class ExampleAuthentication(authentication.BaseAuthentication):
def authenticate(self, request):
username = request.META.get('X_USERNAME')
if not username:
return None
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
raise exceptions.AuthenticationFailed('No such user')
return (user, None)
```
2018-11-17 20:45:53 +00:00
Custom user
Dont forget to point AUTH_USER_MODEL to it. Do this before creating any migrations or running manage.py migrate for the first time.
2018-11-17 17:48:12 +00:00
## TODOs
2018-11-17 18:00:48 +00:00
- [x] serialize / input request
2018-11-17 17:48:12 +00:00
- [ ] Remove hard coded JSON
2018-11-17 18:00:48 +00:00
- [ ] Implement registering of new entries
2018-11-17 20:45:53 +00:00
- [ ] Use Custom authentication (?) - needs to have a user
2018-11-17 18:00:48 +00:00
- [ ] Maybe we map name+realm == User (?)
2018-11-17 20:45:53 +00:00
- name == name@realm
- no password
- seed
- custom auth method
- [ ] Implement creating new "User"
- by POST / Model based
- [ ] Implement deleting "User"