[libeufin] 01/08: Finish basic auth implementation.

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[libeufin] 01/08: Finish basic auth implementation.

From:	gnunet
Subject:	[libeufin] 01/08: Finish basic auth implementation.
Date:	Wed, 10 Nov 2021 16:22:44 +0100

This is an automated email from the git hooks/post-receive script.

ms pushed a commit to branch master
in repository libeufin.

commit cdc8f9b1df3367b098ad1456f1426d514575fd6f
Author: ms <ms@taler.net>
AuthorDate: Fri Nov 5 23:15:33 2021 +0100

    Finish basic auth implementation.
    
    Implementing check for non-admin users.
---
 .../main/kotlin/tech/libeufin/sandbox/Helpers.kt   | 44 ++++++++++++++++++++++
 .../src/main/kotlin/tech/libeufin/sandbox/Main.kt  |  2 +-
 util/src/main/kotlin/HTTP.kt                       | 33 +---------------
 3 files changed, 46 insertions(+), 33 deletions(-)

diff --git a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt 
b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
index 9005fd0f..ef96cf8f 100644
--- a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
+++ b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
@@ -21,6 +21,7 @@ package tech.libeufin.sandbox
 
 import io.ktor.application.*
 import io.ktor.http.HttpStatusCode
+import io.ktor.request.*
 import org.jetbrains.exposed.sql.SqlExpressionBuilder.eq
 import org.jetbrains.exposed.sql.and
 import org.jetbrains.exposed.sql.transactions.transaction
@@ -40,6 +41,42 @@ data class SandboxCamt(
     val creationTime: Long
 )
 
+/**
+ * Return:
+ * - null if the authentication is disabled (during tests, for example).
+ *   This facilitates tests because allows requests to lack entirely a
+ *   Authorization header.
+ * - the name of the authenticated user
+ * - throw exception when the authentication fails
+ *
+ * Note: at this point it is ONLY checked whether the user provided
+ * a valid password for the username mentioned in the Authorization header.
+ * The actual access to the resources must be later checked by each handler.
+ */
+fun ApplicationRequest.basicAuth(): String? {
+    val withAuth = this.call.ensureAttribute(WITH_AUTH_ATTRIBUTE_KEY)
+    if (!withAuth) {
+        logger.info("Authentication is disabled - assuming tests currently 
running.")
+        return null
+    }
+    val credentials = getHTTPBasicAuthCredentials(this)
+    if (credentials.first == "admin") {
+        // env must contain the admin password, because --with-auth is true.
+        val adminPassword: String = 
this.call.ensureAttribute(ADMIN_PASSWORD_ATTRIBUTE_KEY)
+        if (credentials.second != adminPassword) throw unauthorized(
+            "Admin authentication failed"
+        )
+        return credentials.first
+    }
+    val passwordHash = transaction {
+        val customer = getCustomer(credentials.first)
+        customer.passwordHash
+    }
+    if (!CryptoUtil.checkPwOrThrow(credentials.second, passwordHash))
+        throw unauthorized("Customer '${credentials.first}' gave wrong 
credentials")
+    return credentials.first
+}
+
 fun SandboxAssert(condition: Boolean, reason: String) {
     if (!condition) throw SandboxError(HttpStatusCode.InternalServerError, 
reason)
 }
@@ -85,6 +122,13 @@ fun getHistoryElementFromTransactionRow(
     return getHistoryElementFromTransactionRow(dbRow.transactionRef)
 }
 
+// Need to be called within a transaction {} block.
+fun getCustomer(username: String): DemobankCustomerEntity {
+    return DemobankCustomerEntity.find {
+        DemobankCustomersTable.username eq username
+    }.firstOrNull() ?: throw notFound("Customer '${username}' not found")
+}
+
 /**
  * Get person name from a customer's username.
  */
diff --git a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt 
b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
index 6ddd9152..efafcc99 100644
--- a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
+++ b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
@@ -80,7 +80,7 @@ import java.security.interfaces.RSAPublicKey
 import javax.xml.bind.JAXBContext
 import kotlin.system.exitProcess
 
-private val logger: Logger = LoggerFactory.getLogger("tech.libeufin.sandbox")
+val logger: Logger = LoggerFactory.getLogger("tech.libeufin.sandbox")
 private val currencyEnv: String? = System.getenv("LIBEUFIN_SANDBOX_CURRENCY")
 const val SANDBOX_DB_ENV_VAR_NAME = "LIBEUFIN_SANDBOX_DB_CONNECTION"
 private val adminPassword: String? = 
System.getenv("LIBEUFIN_SANDBOX_ADMIN_PASSWORD")
diff --git a/util/src/main/kotlin/HTTP.kt b/util/src/main/kotlin/HTTP.kt
index 70f66316..26982601 100644
--- a/util/src/main/kotlin/HTTP.kt
+++ b/util/src/main/kotlin/HTTP.kt
@@ -6,6 +6,7 @@ import io.ktor.http.*
 import io.ktor.request.*
 import io.ktor.util.*
 import logger
+import org.jetbrains.exposed.sql.transactions.transaction
 import java.net.URLDecoder
 
 fun unauthorized(msg: String): UtilError {
@@ -117,38 +118,6 @@ fun ApplicationCall.getUriComponent(name: String): String {
     if (ret == null) throw internalServerError("Component $name not found in 
URI")
     return ret
 }
-/**
- * Return:
- * - null if the authentication is disabled (during tests, for example).
- *   This facilitates tests because allows requests to lack entirely a
- *   Authorization header.
- * - the name of the authenticated user
- * - throw exception when the authentication fails
- *
- * Note: at this point it is ONLY checked whether the user provided
- * a valid password for the username mentioned in the Authorization header.
- * The actual access to the resources must be later checked by each handler.
- */
-fun ApplicationRequest.basicAuth(): String? {
-    val withAuth = this.call.ensureAttribute(WITH_AUTH_ATTRIBUTE_KEY)
-    if (!withAuth) {
-        logger.info("Authentication is disabled - assuming tests currently 
running.")
-        return null
-    }
-    val credentials = getHTTPBasicAuthCredentials(this)
-    if (credentials.first == "admin") {
-        // env must contain the admin password, because --with-auth is true.
-        val adminPassword: String = 
this.call.ensureAttribute(ADMIN_PASSWORD_ATTRIBUTE_KEY)
-        if (credentials.second != adminPassword) throw unauthorized(
-            "Admin authentication failed"
-        )
-        return credentials.first
-    }
-    throw unauthorized("Demobank customers not implemented yet!")
-    /**
-     * TODO: extract customer hashed password from the database and check.
-     */
-}
 
 /**
  * Throw "unauthorized" if the request is not

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[libeufin] branch master updated (a6661dff -> fe229973), gnunet, 2021/11/10
- [libeufin] 02/08: fix visibility issue, gnunet, 2021/11/10
- [libeufin] 01/08: Finish basic auth implementation., gnunet <=
- [libeufin] 03/08: adapt after wallet tests harness, gnunet, 2021/11/10
- [libeufin] 06/08: allow longer currency names, gnunet, 2021/11/10
- [libeufin] 07/08: fixes after wallet harness, gnunet, 2021/11/10
- [libeufin] 04/08: Fixes after wallet tests harness., gnunet, 2021/11/10
- [libeufin] 05/08: fix exchange suggestion, gnunet, 2021/11/10
- [libeufin] 08/08: Fixes after wallet tests harness., gnunet, 2021/11/10

Prev by Date: [libeufin] 02/08: fix visibility issue
Next by Date: [libeufin] 03/08: adapt after wallet tests harness
Previous by thread: [libeufin] 02/08: fix visibility issue
Next by thread: [libeufin] 03/08: adapt after wallet tests harness
Index(es):
- Date
- Thread