aboutsummaryrefslogtreecommitdiff
path: root/gn3/auth/authentication
AgeCommit message (Collapse)Author
2023-06-30List all OAuth2 clients.Frederick Muriuki Muriithi
2023-05-30auth: Change check for client secretFrederick Muriuki Muriithi
We are saving the client secret in an encrypted form, meaning we have to verify that the CLIENT_SECRET that is provided is the same one as was generated at registration in a different way. Initially, I was doing a direct comparison, having saved the CLIENT_SECRET value as unencrypted plain-text.
2023-05-29auth: Enable registration of OAuth2 clientsFrederick Muriuki Muriithi
Add UI and code to enable the administrative user to register new OAuth2 clients that can access the API server.
2023-05-29Enable Administrator login on GN3Frederick Muriuki Muriithi
* gn3/auth/authentication/oauth2/views.py: Remove endpoint * gn3/auth/authorisation/users/admin/__init__.py: New admin module * gn3/auth/authorisation/users/admin/ui.py: New admin module * gn3/auth/authorisation/users/admin/views.py: New admin module * gn3/auth/views.py: Use new admin module * gn3/errors.py: Fix linting errors * gn3/templates/login.html: New html template * main.py: Fix linting errors
2023-05-27Document Use of OAuth2 ClientsFrederick Muriuki Muriithi
* docs/authentication_and_authorisation/oauth2_clients.md: New documentation * gn3/auth/authentication/oauth2/server.py: Raise appropriate error if no client is found. * gn3/auth/authentication/oauth2/views.py: Handle exception in the case where a UI should be presented to the user, rather than presenting the raw JSON response to the user. * gn3/errors.py: Handle any authlib OAuth2Error at the application's top-level * gn3/templates/oauth2/oauth2_error.html: Handle any authlib OAuth2Error at the application's top-level
2023-05-10auth: Only check deliverability of emails at registration.Frederick Muriuki Muriithi
Check only that the email format is correct, but don't bother with the deliverability check during authentication. The deliverability check is done at registration.
2023-05-09auth: Implement "Authorization Code Flow"auth/implement-authorization-code-flowFrederick Muriuki Muriithi
Implement the "Authorization Code Flow" for the authentication of users. * gn3/auth/authentication/oauth2/grants/authorisation_code_grant.py: query and save the authorisation code. * gn3/auth/authentication/oauth2/models/authorization_code.py: Implement the `AuthorisationCode` model * gn3/auth/authentication/oauth2/models/oauth2client.py: Fix typo * gn3/auth/authentication/oauth2/server.py: Register the `AuthorisationCodeGrant` grant with the server. * gn3/auth/authentication/oauth2/views.py: Implement `/authorise` endpoint * gn3/templates/base.html: New HTML Templates of authorisation UI * gn3/templates/common-macros.html: New HTML Templates of authorisation UI * gn3/templates/oauth2/authorise-user.html: New HTML Templates of authorisation UI * main.py: Allow both "code" and "token" response types.
2023-03-23auth: Don't try loading the user if no client is foundFrederick Muriuki Muriithi
Fix the bug where the system was trying to load a user from a non-existing OAuth2 client, leading to an exception.
2023-03-13auth: separate user detail migration from data migrationFrederick Muriuki Muriithi
Due to the fact that the data migration requires higher privileges than the user details, separate the user details migration endpoint from the data migrations endpoint.
2023-03-09auth: introspection: Protect introspection endpointFrederick Muriuki Muriithi
The introspection endpoint could contain privileged information, thus requires that the endpoint be protected. This commit ensures that a user has authenticated to the system and that the client they are using be one of the allowed clients.
2023-03-08auth: users: Use the same basic functions for password hashingFrederick Muriuki Muriithi
To avoid repeating the same thing in multiple places, leading to errors and breakages, reuse the same basic functions for password hashing.
2023-03-08Replace Bcrypt with Argon2 for better security.Frederick Muriuki Muriithi
Bcrypt is now somewhat vulnerable to offline cracking, so we move our password hashing over to Argon2.
2023-03-07auth: user_by_id: Return a user or raise an exceptionFrederick Muriuki Muriithi
Fetching the user by id should return the user, or raise an exception. We get rid of the Maybe monad here since it is leading to some weird code flows - probably the wrong monad to use here.
2023-03-06auth: resources: Enable assigning a user roles on resourcesFrederick Muriuki Muriithi
2023-02-08auth: groups: handle join requests.Frederick Muriuki Muriithi
2023-02-02auth: Reorganise modules/packages for easier dev and maintenanceFrederick Muriuki Muriithi
Split the views/routes into separate modules each dealing with a narrower scope of the application to aid in maintenance, and help with making the development easier.
2023-01-31auth: Remove the @authenticated_p decoratorFrederick Muriuki Muriithi
The @authenticated_p decorator (and function), is an artifact of the original development ideas and should be removed from use.
2023-01-31auth: Set the token scope as a string, not a listFrederick Muriuki Muriithi
Setting the scope as a list of strings was leading to errors when attempting to logout. This commit leaves the scope as a string to avoid the errors.
2023-01-28auth: rework dictifyFrederick Muriuki Muriithi
Define a Protocol type to use with the `dictify` function and implement the `dictify` methods for the various classes.
2023-01-21auth: Fix saving of scope values. Add scope items.Frederick Muriuki Muriithi
2023-01-20mypy: minor fixes to typing errorsFrederick Muriuki Muriithi
2023-01-20auth: rename revocation endpointFrederick Muriuki Muriithi
2023-01-20auth: Save token with updateFrederick Muriuki Muriithi
If the token already exists, then update the details rather than trying to insert.
2023-01-20auth: Setup the user correctlyFrederick Muriuki Muriithi
* gn3/auth/authentication/oauth2/grants/password_grant.py: Return user rather than boolean * gn3/auth/authentication/oauth2/models/oauth2client.py: provide optional `user` argument to allow flexibility in setting up the client's user * gn3/auth/authentication/oauth2/models/oauth2token.py: Set token and client user correctly * gn3/auth/authentication/oauth2/server.py: Set token user from the request
2023-01-20auth: Add development utils/toolsFrederick Muriuki Muriithi
To avoid having to manually rebuild some default data for exploration of concepts while developing the system, add a way to build up the test users and oauth2 clients to use for testing.
2023-01-11auth: Add missing importFrederick Muriuki Muriithi
2023-01-05auth: Persist the user's registration detailsFrederick Muriuki Muriithi
If the registration details pass the validations steps, then persist the details in the database and respond with details about the newly created user. * gn3/auth/authentication/users.py: new functions * `save_user`: create and persist a new user * `set_user_password`: hash and persist the new password for the given user * gn3/auth/authorisation/views.py: Persist the user details and respond with the newly persisted user details.
2023-01-04auth: Add `/register-user` endpointFrederick Muriuki Muriithi
* gn3/app.py: register top-level error handlers. reorganise oauth2 blueprint. * gn3/auth/__init__.py: reorganise oaut2 blueprint. * gn3/auth/authentication/oauth2/views.py: reorganise oauth2 blueprint. * gn3/auth/authorisation/exceptions.py -> gn3/auth/authorisation/errors.py * gn3/auth/authorisation/groups.py: rename file/module * gn3/auth/authorisation/resources.py: rename file/module * gn3/auth/authorisation/views.py: Add `/register-user` endpoint * gn3/auth/blueprint.py: reorganise oauth2 blueprint. * gn3/errors.py: register top-level error handlers.
2023-01-04auth: return group info as part of user detailsFrederick Muriuki Muriithi
* gn3/app.py: import blueprint from authorisation views inorder to get all endpoints * gn3/auth/authentication/oauth2/views.py: remove the `/user` endpoint * gn3/auth/authorisation/views.py: add the `/user` endpoint and add the group information to the user details.
2023-01-03auth: Fetch all of a user's roles.Frederick Muriuki Muriithi
* gn3/auth/authorisation/roles.py: Fetch roles from DB * gn3/auth/authorisation/views.py: Provide API endpoint for user roles * tests/unit/auth/test_roles.py: Tests to check fetching roles works correctly Fix linting and typing issues in the following files: * gn3/auth/authentication/oauth2/resource_server.py * gn3/auth/authentication/oauth2/views.py * tests/unit/auth/fixtures/oauth2_client_fixtures.py
2022-12-28auth: Add resource server and /user endpointFrederick Muriuki Muriithi
Add a resource server with the validator for the bearer token to protect the resources endpoints. Add a protected `/user` endpoint that returns the user details for valid tokens. * gn3/auth/authentication/oauth2/resource_server.py: new file * gn3/auth/authentication/oauth2/views.py: add /user endpoint
2022-12-22auth: implement OAuth2 flow.oauth2_auth_flowFrederick Muriuki Muriithi
Add code to implement the OAuth2 flow. * Add test fixtures for setting up users and OAuth2 clients * Add tests for token generation with the "Password Grant" flow * Fix some issues with test due to changes in the database connection's row_factory
2022-12-21auth: oauth2: users: Add expected propertyFrederick Muriuki Muriithi
* gn3/auth/authentication/users.py: authlib expects the user object to have a `get_user_id` method.
2022-12-21Enable authenticationFrederick Muriuki Muriithi
* gn3/auth/authentication/routes.py: Add `/login` endpoint and a function to validate the login credentials. * gn3/auth/authentication/users.py: add function to fetch user details by email
2022-11-24auth: Implement `create_resource` functionFrederick Muriuki Muriithi
* gn3/auth/authentication/checks.py: new `authenticated_p` decorator to apply on any function that requires the user to be authenticated before it runs. * gn3/auth/authorisation/checks.py: use a `auth.authentication.users.User` object rather than a UUID object in the global `g`. * gn3/auth/authorisation/groups.py: Implement the `authenticated_user_group` function to get the group(s) in which the currently authenticated user belongs. * gn3/auth/authorisation/resources.py: Implement the `create_resource` function correctly. * tests/unit/auth/conftest.py: extract the User objects into a global variable for reusability with the tests. * tests/unit/auth/test_resources.py: Use global user objects from conftest in the tests. Set a User object (rather than UUID) in the global `g` variable.
2022-11-24auth: Define base exceptionsFrederick Muriuki Muriithi
* gn3/auth/authentication/exceptions.py: define `AuthenticationError` * gn3/auth/authorisation/exceptions.py: define `AuthorisationError`
2022-11-17auth: Define the `User` typeFrederick Muriuki Muriithi
* gn3/auth/authentication.py -> gn3/auth/authentication/__init__.py: Convert module to package * gn3/auth/authentication/users.py: Define the `User` type
2022-11-03Add credentials checkingFrederick Muriuki Muriithi
* gn3/auth/authentication.py: new function `credentials_in_database` * gn3/auth/authentication/__init__.py: replace package with module * gn3/settings.py: new `AUTH_MIGRATIONS` configuration variable * migrations/auth/20221103_02_sGrIs-create-user-credentials-table.py: new migration * tests/unit/auth/test_credentials.py: test the `credentials_in_database` function * tests/unit/conftest.py: more test fixtures
2022-11-03Initialise the Auth(entic|oris)ation packagesFrederick Muriuki Muriithi
Initialise the authentication/authorisation system packages and set up the initial database migrations to set up the system. * README.md: Add documentation on migrations * gn3/auth/__init__.py: init package * gn3/auth/authentication/__init__.py: init package * gn3/auth/authorisation/__init__.py: init package * gn3/migrations.py: provide migration utilities * migrations/auth/20221103_01_js9ub-initialise-the-auth-entic-oris-ation-database.py: new migration * tests/unit/auth/test_init_database.py: test new migration applies and rolls back as expected * tests/unit/conftest.py: fixtures for unit tests * yoyo.auth.ini: basic configuration for yoyo-migration for auth system migrations