Add: FileStore, managers for users, clients, applications

Add: UserManager

2 files changed, 42 insertions, 23 deletions

diff --git a/yarns/200-client-creds.yarn b/yarns/200-client-creds.yarn
index f251c71..9eff22a 100644
--- a/yarns/200-client-creds.yarn
+++ b/yarns/200-client-creds.yarn
@@ -21,8 +21,8 @@ The `USERPASS` has the client id and secret encoded as is usual for
 [HTTP Basic authentication]: https://en.wikipedia.org/wiki/Basic_access_authentication
 
 Qvisqve checks the `grant_type` parameter, and extracts `USERPASS` to
-get the client id and secret. It compares them against a static list
-of clients, which it reads at startup from its configuration file:
+get the client id and secret. It compares them against statically
+created clients, which it reads from the filesystem.
 
     EXAMPLE Qvisqve configuration file in YAML
     config:
@@ -34,19 +34,24 @@ of clients, which it reads at startup from its configuration file:
         ... deleted from example
         LkLFQC7Y66OYjna457hU545hfF99j7nxdseXQEhV96E4RUIub+6vS8TYDEk=
         -----END RSA PRIVATE KEY-----
-    clients:
-      test_api:
-        client_secret:
-            N: 16384
-            hash: 5cf3b9cab1eacc818b73d229db...a023e938ee598f6c49749ef0429a889f7
-            key_len: 128
-            p: 1
-            r: 8
-            salt: 18112c4c50993ca5db908a15519c51e1
-            version: 1
-        allowed_scopes:
-        - foo
-        - bar
+      store: /var/lib/qvisqve
+
+Each client will be stored as a separate YAML file under the directory
+configured in the "store" configuration variable. For example, the
+client `test_api` is stored in `/var/lib/qvisqve/clients/test_api`:
+
+    EXAMPLE
+    client_secret:
+        N: 16384
+        hash: 5cf3b9cab1eacc818b73d229db...a023e938ee598f6c49749ef0429a889f7
+        key_len: 128
+        p: 1
+        r: 8
+        salt: 18112c4c50993ca5db908a15519c51e1
+        version: 1
+    allowed_scopes:
+    - foo
+    - bar
 
 Qvisqve checks that the client id given by the client is found, and
 that the offered client secret matches what's in the configuration
diff --git a/yarns/lib.py b/yarns/lib.py
index 9ed7f59..56707ba 100644
--- a/yarns/lib.py
+++ b/yarns/lib.py
@@ -177,15 +177,30 @@ def start_qvisqve():
     V['port'] = cliapp.runcmd([os.path.join(srcdir, 'randport' )]).strip()
     V['API_URL'] = 'http://127.0.0.1:{}'.format(V['port'])
 
-    clients = {}
+    store = os.path.join(datadir, 'store')
+    os.mkdir(store)
+    os.mkdir(os.path.join(store, 'client'))
+    os.mkdir(os.path.join(store, 'application'))
+
     if V['client_id'] and V['client_secret']:
         sh = qvisqve_secrets.SecretHasher()
-        clients = {
-            V['client_id']: {
-                'client_secret': sh.hash(V['client_secret']),
-                'allowed_scopes': V['allowed_scopes'],
-            },
+        client = {
+            'hashed_secret': sh.hash(V['client_secret']),
+            'allowed_scopes': V['allowed_scopes'],
+        }
+
+        filename = os.path.join(store, 'client', V['client_id'])
+        with open(filename, 'w') as f:
+            yaml.safe_dump(client, stream=f)
+
+    apps = V['applications']
+    for name in apps or []:
+        filename = os.path.join(store, 'application', name)
+        spec = {
+            'callbacks': [apps[name]],
         }
+        with open(filename, 'w') as f:
+            yaml.safe_dump(spec, stream=f)
 
     config = {
         'gunicorn': 'background',
@@ -201,8 +216,7 @@ def start_qvisqve():
         'token-public-key': V['pubkey'],
         'token-issuer': V['iss'],
         'token-lifetime': 3600,
-        'clients': clients,
-        'applications': V['applications'] or {},
+        'store': store,
     }
     env = dict(os.environ)
     env['QVISQVE_CONFIG'] = os.path.join(datadir, 'qvisqve.yaml')