Implement /auth for EIDA
pip install eidawsauth==0.3.1
This projects is the implementation of the /auth
method as described in EIDA.
Input : a signed token (validity will be checked by the program)
Output : a login and password in the login:password
form
This login and password is valid for a certain amount of time (24h typically)
pip install gunicorn httpie
gunicorn --reload -w 1 eidaws_auth:auth
Then, to send a post request :
http localhost:8000/version
http POST localhost:8000 < token.asc
pip install -e .
pytest
The conifguration is set in the eidawsauth/config.py
file.
There are 4 classes :
Config
: the root class with some defaultsProduction
: the configuration suitable for productionTest
: the configuration suitable for pytestDev
: the configuration for the developpment environmentYou can choose the configuration class by setting up the RUNMODE
environment variable. Default value is DEVELOPMENT
RUNMODE=PRODUCTION gunicorn -w 4 eidaws_auth:aut
grant connect on database "resifAuth" to eidawsauth;
grant connect on database "resifInv-Prod" to eidawsauth;
\c "resifAuth"
grant select,insert,update,delete on table users,credentials TO eidawsauth ;
grant select,update on sequence users_user_index_seq TO eidawsauth ;
\c "resifInv-Prod"
grant select,insert,update,delete on table eida_temp_users TO eidawsauth;
grant select on table networks to eidawsauth;
grant select,update on sequence aut_user_user_id_seq to eidawsauth ;
Table users
:
From the existing table, we have to add an expires_at
column.
alter table users add column if not exists expires_at timestamp default value null;
Table credentials
:
No modification to the resifAuth schema
Table aut_user
.
No modification to the resifInv-Prod schema.
Colonne | Type | Collationnement | NULL-able | Par défaut | Stockage |
------------+---------+-----------------+-----------+-------------------------------------------+----------+
user_id | integer | | not null | nextval('aut_user_user_id_seq'::regclass) | plain |
network_id | bigint | | | 0 | plain |
network | text | | not null | | extended |
start_year | integer | | not null | 0 | plain |
end_year | integer | | not null | 0 | plain |
name | text | | not null | | extended |
Index :
"aut_user_pkey" PRIMARY KEY, btree (user_id)
"uniq_aut_user" UNIQUE CONSTRAINT, btree (network, start_year, end_year, name)
Contraintes de clés étrangères :
"aut_user_network_id_fkey" FOREIGN KEY (network_id) REFERENCES networks(network_id) ON DELETE SET DEFAULT
What does this program do ?
expires_at
value (24h)member-of
field in the token :
access
login:password
to the clientreturns the version number and environment string.
Remove old users, credentials and privileges.
It's probably a good idea to protect this method at the webserver level.