diff options
author | Lars Wirzenius <liw@liw.fi> | 2018-07-31 11:14:13 +0300 |
---|---|---|
committer | Lars Wirzenius <liw@liw.fi> | 2018-07-31 15:54:02 +0300 |
commit | 9ead1c5c91e3c75274aa56dca2b17036cdc45573 (patch) | |
tree | c130d2b0b5a215f88b3d03cd876d9e9ef1648041 /yarns | |
parent | 329bb31dbfb7675a21605d552999c59432ef7b10 (diff) | |
download | qvisqve-9ead1c5c91e3c75274aa56dca2b17036cdc45573.tar.gz |
Add: FileStore, managers for users, clients, applications
Add: UserManager
Diffstat (limited to 'yarns')
-rw-r--r-- | yarns/200-client-creds.yarn | 35 | ||||
-rw-r--r-- | yarns/lib.py | 30 |
2 files changed, 42 insertions, 23 deletions
diff --git a/yarns/200-client-creds.yarn b/yarns/200-client-creds.yarn index f251c71..9eff22a 100644 --- a/yarns/200-client-creds.yarn +++ b/yarns/200-client-creds.yarn @@ -21,8 +21,8 @@ The `USERPASS` has the client id and secret encoded as is usual for [HTTP Basic authentication]: https://en.wikipedia.org/wiki/Basic_access_authentication Qvisqve checks the `grant_type` parameter, and extracts `USERPASS` to -get the client id and secret. It compares them against a static list -of clients, which it reads at startup from its configuration file: +get the client id and secret. It compares them against statically +created clients, which it reads from the filesystem. EXAMPLE Qvisqve configuration file in YAML config: @@ -34,19 +34,24 @@ of clients, which it reads at startup from its configuration file: ... deleted from example LkLFQC7Y66OYjna457hU545hfF99j7nxdseXQEhV96E4RUIub+6vS8TYDEk= -----END RSA PRIVATE KEY----- - clients: - test_api: - client_secret: - N: 16384 - hash: 5cf3b9cab1eacc818b73d229db...a023e938ee598f6c49749ef0429a889f7 - key_len: 128 - p: 1 - r: 8 - salt: 18112c4c50993ca5db908a15519c51e1 - version: 1 - allowed_scopes: - - foo - - bar + store: /var/lib/qvisqve + +Each client will be stored as a separate YAML file under the directory +configured in the "store" configuration variable. For example, the +client `test_api` is stored in `/var/lib/qvisqve/clients/test_api`: + + EXAMPLE + client_secret: + N: 16384 + hash: 5cf3b9cab1eacc818b73d229db...a023e938ee598f6c49749ef0429a889f7 + key_len: 128 + p: 1 + r: 8 + salt: 18112c4c50993ca5db908a15519c51e1 + version: 1 + allowed_scopes: + - foo + - bar Qvisqve checks that the client id given by the client is found, and that the offered client secret matches what's in the configuration diff --git a/yarns/lib.py b/yarns/lib.py index 9ed7f59..56707ba 100644 --- a/yarns/lib.py +++ b/yarns/lib.py @@ -177,15 +177,30 @@ def start_qvisqve(): V['port'] = cliapp.runcmd([os.path.join(srcdir, 'randport' )]).strip() V['API_URL'] = 'http://127.0.0.1:{}'.format(V['port']) - clients = {} + store = os.path.join(datadir, 'store') + os.mkdir(store) + os.mkdir(os.path.join(store, 'client')) + os.mkdir(os.path.join(store, 'application')) + if V['client_id'] and V['client_secret']: sh = qvisqve_secrets.SecretHasher() - clients = { - V['client_id']: { - 'client_secret': sh.hash(V['client_secret']), - 'allowed_scopes': V['allowed_scopes'], - }, + client = { + 'hashed_secret': sh.hash(V['client_secret']), + 'allowed_scopes': V['allowed_scopes'], + } + + filename = os.path.join(store, 'client', V['client_id']) + with open(filename, 'w') as f: + yaml.safe_dump(client, stream=f) + + apps = V['applications'] + for name in apps or []: + filename = os.path.join(store, 'application', name) + spec = { + 'callbacks': [apps[name]], } + with open(filename, 'w') as f: + yaml.safe_dump(spec, stream=f) config = { 'gunicorn': 'background', @@ -201,8 +216,7 @@ def start_qvisqve(): 'token-public-key': V['pubkey'], 'token-issuer': V['iss'], 'token-lifetime': 3600, - 'clients': clients, - 'applications': V['applications'] or {}, + 'store': store, } env = dict(os.environ) env['QVISQVE_CONFIG'] = os.path.join(datadir, 'qvisqve.yaml') |