Method /auth for EIDA authentication

This projects is the implementation of the /auth method as described in EIDA.

Input : a signed token (validity will be checked by the program)

Output : a login and password in the login:password form

This login and password is valid for a certain amount of time (24h typically)

Playing around

pip install gunicorn httpie
gunicorn --reload -w 1 eidaws_auth:auth

Then, to send a post request :

http localhost:8000/version
http POST localhost:8000 < token.asc

Running tests

pip install -e .
pytest

Configuration

The conifguration is set in the eidawsauth/config.py file.

There are 4 classes :

• Config : the root class with some defaults
• Production : the configuration suitable for production
• Test : the configuration suitable for pytest
• Dev : the configuration for the developpment environment

You can choose the configuration class by setting up the RUNMODE environment variable. Default value is DEVELOPMENT

RUNMODE=PRODUCTION gunicorn -w 4 eidaws_auth:aut

Database initialisation

User and minimum privileges

grant connect on database "resifAuth" to eidawsauth;
grant connect on database "resifInv-Prod" to eidawsauth;
\c "resifAuth"
grant select,insert,update,delete on table users,credentials TO eidawsauth ;
grant select,update on sequence  users_user_index_seq TO eidawsauth ;
\c "resifInv-Prod"
grant select,insert,update,delete on table eida_temp_users TO eidawsauth;
grant select on table networks to eidawsauth;
grant select,update on sequence aut_user_user_id_seq to eidawsauth ;

Expected tables schema

AUTHDB

Table users: From the existing table, we have to add an expires_at column.

alter table users add column if not exists expires_at timestamp default value null;

Table credentials : No modification to the resifAuth schema

PRIVILEDGEDB

Table aut_user. No modification to the resifInv-Prod schema.

  Colonne   |  Type   | Collationnement | NULL-able |                Par défaut                 | Stockage |
------------+---------+-----------------+-----------+-------------------------------------------+----------+
 user_id    | integer |                 | not null  | nextval('aut_user_user_id_seq'::regclass) | plain    |
 network_id | bigint  |                 |           | 0                                         | plain    |
 network    | text    |                 | not null  |                                           | extended |
 start_year | integer |                 | not null  | 0                                         | plain    |
 end_year   | integer |                 | not null  | 0                                         | plain    |
 name       | text    |                 | not null  |                                           | extended |
Index :
    "aut_user_pkey" PRIMARY KEY, btree (user_id)
    "uniq_aut_user" UNIQUE CONSTRAINT, btree (network, start_year, end_year, name)
Contraintes de clés étrangères :
    "aut_user_network_id_fkey" FOREIGN KEY (network_id) REFERENCES networks(network_id) ON DELETE SET DEFAULT

Explanations

What does this program do ?

Steps

0. Get all configurations and setup database connections
1. Read the data from POST request NOTE : We should put a size limit on the WSGI server
2. Verify the token's signature using the geofon public key
3. Parse the token's informations
4. Compute a random login and password
5. Register this in the resifAuth database, along with the expires_at value (24h)
6. From the member-of field in the token :
   • do the mapping from EPOS names to FDSN reference from the epos_fdsn table in the resifAuth database the FDSN reference is the network name, startyear, endyear
   • register the login along with the FDSN references and the expiration date in the resifInv-Prod database, table access
7. Return the login:password to the client

Other methods

/version

returns the version number and environment string.

/cleanup

Remove old users, credentials and privileges.

It's probably a good idea to protect this method at the webserver level.