Baguette/authd
3
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

README update (and split).

Browse Source
This commit is contained in:
Philippe Pittoli 2024-12-11 13:25:08 +01:00
parent 4d6991798d
commit 5f36536554
6 changed files with 139 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
API.md Normal file
View File

@ -0,0 +1,34 @@
> This file is still very much a WIP.
### Protocol
authds protocol is still subject to change.
> TODO: document messages.
### Libraries
> TODO: document basic functions in the `AuthD::Client` class to exchange messages with `authd`.
A `AuthD::Client` Crystal class is available to build synchronous clients in Crystal.
### Authorization rules
Logged users can:
- retrieve public data of any user **individually**
- change their own data: password, email address, profile entries (except the read-only ones)
- delete their account
- check their own permissions
Admins with 'Read' permission on the '*' resource can:
- list users
- check permissions of other users
Admins with 'Edit' permission on the '*' resource can:
- change data of another user
Admins with 'Admin' permission on the '*' resource (or the 'admin' boolean) can:
- change read-only profile entries
- change permissions
- delete a user
- uprank and downrank admins

12
DESIGN-CHOICES.md Normal file
View File

@ -0,0 +1,12 @@
> This file is still very much a WIP.
An user has a number, a login, an email address, a profile (`Hash(String, JSON::Any)`) and permissions.
An `admin` boolean also tells weither or not the user is an administrator.
**Requests work mostly on current user**.
Some take a *UserID* to identify another user (its number or its login, both are valid), which often implies admin permissions.
**Permissions** are: None, Read, Edit, Admin.
Plus, the `admin` boolean value in the `AuthD::User` class.
> TODO: continue explaining design choices.

92
README.md
View File

@ -1,8 +1,12 @@
# authd # authd
`authd` is a token-based authentication micro-service based on [libipc][libipc]. `authd` is a (JWT) token-based authentication micro-service based on [libipc][libipc].
`authd` stores users (login, encrypted password), their profile (arbitrary data) and their *permissions*.
For example, `authd` is used by [dnsmanagerd][dnsmanagerd] to handle authentication and permissions.
> TODO: explain basic concepts behind `authd`. No SQL, the entire database is stored in plain files, thanks to [the DODB database library][dodb].
The [netlibre service][netlibre] is the first to use `authd` in a real-life deployment.
## Build ## Build
@ -20,55 +24,43 @@ make install
$ authd --help $ authd --help
``` ```
> TODO: documentation on how to deploy, including with the mail server and tools. For a more extensive documentation, please read the manual for both [authd][authdmanual] and [authctl][authctlmanual].
### Users storage See the [configuration example][configuration-example] to avoid long command-line parameters.
The storage directory will default to `./storage`. Also, extensive usage examples are available in the makefiles.
No SQL database, database management system or other kind of setup is required to run authd and store users. ## Administration
To migrate an instance of authd, a simple copy of the storage directory will be enough. ```sh
# First user in the database is an administrator.
authctl bootstrap name email
```
### Administrating users ```sh
# Add a user:
authctl user add login email
```
> TODO: document how to manage users through `authctl`. For a comprehensive list of available commands, please read the [authctl manual][authctlmanual].
## Real-life deployment
## APIs For a real-life deployment, you might want to enable registration.
In this case, you need to get a `mailer` application to send template emails.
See [an example of such application][mailer].
### Protocol ### Backup and migration
authds protocol is still subject to change. ```sh
# Database backup.
tar cfz db.tar.gz ./db-authd
> TODO: document messages. # Database migration.
tar xfz db.tar.gz
```
### Libraries Wasn't that hard, isn't it?
> TODO: document basic functions in the `AuthD::Client` class to exchange messages with `authd`.
A `AuthD::Client` Crystal class is available to build synchronous clients in Crystal.
# Authorization rules
Logged users can:
- retrieve public data of any user **individually**
- change their own data: password, email address, profile entries (except the read-only ones)
- delete their account
- check their own permissions
Admins with 'Read' permission on the '*' resource can:
- list users
- check permissions of other users
Admins with 'Edit' permission on the '*' resource can:
- change data of another user
Admins with 'Admin' permission on the '*' resource (or the 'admin' boolean) can:
- change read-only profile entries
- change permissions
- delete a user
- uprank and downrank admins
## Contributing ## Contributing
@ -76,19 +68,17 @@ Pull requests are welcome. For major changes, please open an issue first to disc
Please make sure to update tests as appropriate. Please make sure to update tests as appropriate.
# WIP: design choices # API and design choices
An user has a number, a login, an email address, a profile (`Hash(String, JSON::Any)`) and permissions. See [API.md][API] and [DESIGN-CHOICES.md][design].
An `admin` boolean also tells weither or not the user is an administrator.
**Requests work mostly on current user**.
Some take a *UserID* to identify another user (its number or its login, both are valid), which often implies admin permissions.
**Permissions** are: None, Read, Edit, Admin.
Plus, the `admin` boolean value in the `AuthD::User` class.
> TODO: continue explaining design choices.
[libipc]: https://git.baguette.netlib.re/Baguette/libipc [libipc]: https://git.baguette.netlib.re/Baguette/libipc
[dnsmanagerd]: https://git.baguette.netlib.re/Baguette/dnsmanagerd [dnsmanagerd]: https://git.baguette.netlib.re/Baguette/dnsmanagerd
[netlibre]: https://netlib.re [netlibre]: https://www.netlib.re
[configuration-example]: ./configuration-example.yml
[mailer]: https://git.baguette.netlib.re/Baguette/mailer
[authdmanual]: ./man/authd.1
[authctlmanual]: ./man/authctl.1
[dodb]: https://git.baguette.netlib.re/Baguette/dodb.cr
[API]: ./API.md
[design]: ./DESIGN-CHOICES.md

5
TODO.md
View File

@ -8,11 +8,6 @@ A combinaison of both is fine as long as the logic is comprehensively documented
A simple error message is given instead of specific messages for each recurring error. A simple error message is given instead of specific messages for each recurring error.
In the same time, some exceptions (such as **AdminAuthenticationException**) are used a few times for the same kind of errors. In the same time, some exceptions (such as **AdminAuthenticationException**) are used a few times for the same kind of errors.
### New features
- On login: inform the user he doesn't have an email address.
This happens when the user was migrated.
### Structures, not classes ### Structures, not classes
Maybe in some cases, it could be great to use structures instead of classes. Maybe in some cases, it could be great to use structures instead of classes.

50
configuration-example.yml Normal file
View File

@ -0,0 +1,50 @@
# Login and password so `authctl` can be authenticated to `authd`.
login: admin
pass: secret
# In case you have a special `mailer` application.
# Read the manual to understand how it is invoked.
mailer_exe: /usr/local/bin/my-special-mailer
# File used as password to encrypt user passwords.
secret_key_file: /var/authd/password
# Path to the database.
storage_directory: /var/authd/db
# Does symlinks have to be recreated each time the app starts?
#recreate_indexes: false
# Are registrations open? Does it require an email?
registrations: true
require_email: true
# Name of the email templates for account activation and password recovery.
activation_template: netlibre-email-activation
recovery_template: netlibre-email-recovery
# Name of the `authd` IPC service.
#service_name: auth
# Read-only user profile keys (to prevent modification from third-parties).
#read_only_profile_keys: []
#
# Verbosity-related options.
#
#verbosity: 4
#print_password_recovery_parameters: false
# IPC-related variables. By default, only print errors and exceptions.
#print_ipc_timer: false
#print_ipc_connection: false
#print_ipc_disconnection: false
#print_ipc_extra_socket: false
#print_ipc_message_received: false
#print_ipc_message_sent: false
#print_ipc_switch: false
#print_ipc_error: true
#print_ipc_exception: true
#print_keepalive: false

4
man/authctl.1
View File

@ -120,9 +120,9 @@ Operations on users.
.Nm authctl .Nm authctl
.Ar user No .Ar user No
.Ar subcommand No .Ar subcommand No
.br
.Ar subcommand : No
.in +4 .in +4
Subcommands:
.Bl -tag -width "change-password" -compact .Bl -tag -width "change-password" -compact
.It Li add .It Li add
Adding a user to the DB. Adding a user to the DB.