[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libeufin] 01/08: Finish basic auth implementation.
From: |
gnunet |
Subject: |
[libeufin] 01/08: Finish basic auth implementation. |
Date: |
Wed, 10 Nov 2021 16:22:44 +0100 |
This is an automated email from the git hooks/post-receive script.
ms pushed a commit to branch master
in repository libeufin.
commit cdc8f9b1df3367b098ad1456f1426d514575fd6f
Author: ms <ms@taler.net>
AuthorDate: Fri Nov 5 23:15:33 2021 +0100
Finish basic auth implementation.
Implementing check for non-admin users.
---
.../main/kotlin/tech/libeufin/sandbox/Helpers.kt | 44 ++++++++++++++++++++++
.../src/main/kotlin/tech/libeufin/sandbox/Main.kt | 2 +-
util/src/main/kotlin/HTTP.kt | 33 +---------------
3 files changed, 46 insertions(+), 33 deletions(-)
diff --git a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
index 9005fd0f..ef96cf8f 100644
--- a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
+++ b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Helpers.kt
@@ -21,6 +21,7 @@ package tech.libeufin.sandbox
import io.ktor.application.*
import io.ktor.http.HttpStatusCode
+import io.ktor.request.*
import org.jetbrains.exposed.sql.SqlExpressionBuilder.eq
import org.jetbrains.exposed.sql.and
import org.jetbrains.exposed.sql.transactions.transaction
@@ -40,6 +41,42 @@ data class SandboxCamt(
val creationTime: Long
)
+/**
+ * Return:
+ * - null if the authentication is disabled (during tests, for example).
+ * This facilitates tests because allows requests to lack entirely a
+ * Authorization header.
+ * - the name of the authenticated user
+ * - throw exception when the authentication fails
+ *
+ * Note: at this point it is ONLY checked whether the user provided
+ * a valid password for the username mentioned in the Authorization header.
+ * The actual access to the resources must be later checked by each handler.
+ */
+fun ApplicationRequest.basicAuth(): String? {
+ val withAuth = this.call.ensureAttribute(WITH_AUTH_ATTRIBUTE_KEY)
+ if (!withAuth) {
+ logger.info("Authentication is disabled - assuming tests currently
running.")
+ return null
+ }
+ val credentials = getHTTPBasicAuthCredentials(this)
+ if (credentials.first == "admin") {
+ // env must contain the admin password, because --with-auth is true.
+ val adminPassword: String =
this.call.ensureAttribute(ADMIN_PASSWORD_ATTRIBUTE_KEY)
+ if (credentials.second != adminPassword) throw unauthorized(
+ "Admin authentication failed"
+ )
+ return credentials.first
+ }
+ val passwordHash = transaction {
+ val customer = getCustomer(credentials.first)
+ customer.passwordHash
+ }
+ if (!CryptoUtil.checkPwOrThrow(credentials.second, passwordHash))
+ throw unauthorized("Customer '${credentials.first}' gave wrong
credentials")
+ return credentials.first
+}
+
fun SandboxAssert(condition: Boolean, reason: String) {
if (!condition) throw SandboxError(HttpStatusCode.InternalServerError,
reason)
}
@@ -85,6 +122,13 @@ fun getHistoryElementFromTransactionRow(
return getHistoryElementFromTransactionRow(dbRow.transactionRef)
}
+// Need to be called within a transaction {} block.
+fun getCustomer(username: String): DemobankCustomerEntity {
+ return DemobankCustomerEntity.find {
+ DemobankCustomersTable.username eq username
+ }.firstOrNull() ?: throw notFound("Customer '${username}' not found")
+}
+
/**
* Get person name from a customer's username.
*/
diff --git a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
index 6ddd9152..efafcc99 100644
--- a/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
+++ b/sandbox/src/main/kotlin/tech/libeufin/sandbox/Main.kt
@@ -80,7 +80,7 @@ import java.security.interfaces.RSAPublicKey
import javax.xml.bind.JAXBContext
import kotlin.system.exitProcess
-private val logger: Logger = LoggerFactory.getLogger("tech.libeufin.sandbox")
+val logger: Logger = LoggerFactory.getLogger("tech.libeufin.sandbox")
private val currencyEnv: String? = System.getenv("LIBEUFIN_SANDBOX_CURRENCY")
const val SANDBOX_DB_ENV_VAR_NAME = "LIBEUFIN_SANDBOX_DB_CONNECTION"
private val adminPassword: String? =
System.getenv("LIBEUFIN_SANDBOX_ADMIN_PASSWORD")
diff --git a/util/src/main/kotlin/HTTP.kt b/util/src/main/kotlin/HTTP.kt
index 70f66316..26982601 100644
--- a/util/src/main/kotlin/HTTP.kt
+++ b/util/src/main/kotlin/HTTP.kt
@@ -6,6 +6,7 @@ import io.ktor.http.*
import io.ktor.request.*
import io.ktor.util.*
import logger
+import org.jetbrains.exposed.sql.transactions.transaction
import java.net.URLDecoder
fun unauthorized(msg: String): UtilError {
@@ -117,38 +118,6 @@ fun ApplicationCall.getUriComponent(name: String): String {
if (ret == null) throw internalServerError("Component $name not found in
URI")
return ret
}
-/**
- * Return:
- * - null if the authentication is disabled (during tests, for example).
- * This facilitates tests because allows requests to lack entirely a
- * Authorization header.
- * - the name of the authenticated user
- * - throw exception when the authentication fails
- *
- * Note: at this point it is ONLY checked whether the user provided
- * a valid password for the username mentioned in the Authorization header.
- * The actual access to the resources must be later checked by each handler.
- */
-fun ApplicationRequest.basicAuth(): String? {
- val withAuth = this.call.ensureAttribute(WITH_AUTH_ATTRIBUTE_KEY)
- if (!withAuth) {
- logger.info("Authentication is disabled - assuming tests currently
running.")
- return null
- }
- val credentials = getHTTPBasicAuthCredentials(this)
- if (credentials.first == "admin") {
- // env must contain the admin password, because --with-auth is true.
- val adminPassword: String =
this.call.ensureAttribute(ADMIN_PASSWORD_ATTRIBUTE_KEY)
- if (credentials.second != adminPassword) throw unauthorized(
- "Admin authentication failed"
- )
- return credentials.first
- }
- throw unauthorized("Demobank customers not implemented yet!")
- /**
- * TODO: extract customer hashed password from the database and check.
- */
-}
/**
* Throw "unauthorized" if the request is not
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [libeufin] branch master updated (a6661dff -> fe229973), gnunet, 2021/11/10
- [libeufin] 02/08: fix visibility issue, gnunet, 2021/11/10
- [libeufin] 01/08: Finish basic auth implementation.,
gnunet <=
- [libeufin] 03/08: adapt after wallet tests harness, gnunet, 2021/11/10
- [libeufin] 06/08: allow longer currency names, gnunet, 2021/11/10
- [libeufin] 07/08: fixes after wallet harness, gnunet, 2021/11/10
- [libeufin] 04/08: Fixes after wallet tests harness., gnunet, 2021/11/10
- [libeufin] 05/08: fix exchange suggestion, gnunet, 2021/11/10
- [libeufin] 08/08: Fixes after wallet tests harness., gnunet, 2021/11/10