aboutsummaryrefslogtreecommitdiff
path: root/gn_auth/auth
AgeCommit message (Collapse)Author
2024-07-31Ignore warning from mypy.Frederick Muriuki Muriithi
2024-07-31Validate JWTs against all existing JWKs.Frederick Muriuki Muriithi
2024-07-31Remove obsoleted SSL_PRIVATE_KEY configurationFrederick Muriuki Muriithi
With the key rotation in place, eliminate the use of the SSL_PRIVATE_KEY configuration which pointed to a specific non-changing JWK.
2024-07-31Update datetime references on changed import.Frederick Muriuki Muriithi
2024-07-31Retrieve newest JWK, creating a new JWK where necessary.Frederick Muriuki Muriithi
To help with key rotation, we fetch the latest key, creating a new JWK in any of the following 2 conditions: * There is no JWK in the first place * The "newest" key is older than a specified number of days
2024-07-31Simplify jwks_directory() functionFrederick Muriuki Muriithi
Pass in the app object rather than a path and compute the secrets directory within the function.
2024-07-30JWT refresh: Deactivate the checks and revocationFrederick Muriuki Muriithi
The checks for whether a token is already linked, and then revoking it and raising an error were causing issues in multi-threaded environments, where there'd be multiple requests to the auth server all using an expired token. This just links the refresh token and avoids the check and revocation for the time being.
2024-07-18List any/all existing JWKsFrederick Muriuki Muriithi
List any/all existing JWKs that the server currently supports.
2024-07-18Add module to handle JWK filesFrederick Muriuki Muriithi
2024-07-17Add non-interactive script to assign make data public by default.Frederick Muriuki Muriithi
2024-06-25Roles: Get rid of use of GroupRole; use Role directly for resourcesFrederick Muriuki Muriithi
The GroupRole idea was flawed, and led to a critical bug that would have allowed privilege escalation. This uses the Role directly acting on a specific resource when assigning said role to a user.
2024-06-20Reorganise test fixtures. Fix tests and issues caught.Frederick Muriuki Muriithi
Reorganise test fixtures to more closely follow the design of the auth system. Fix the broken tests due to refactors and fix all issues caught by the running tests.
2024-06-18fix mypy errorsFrederick Muriuki Muriithi
2024-06-17Fix mypy errorsFrederick Muriuki Muriithi
2024-06-17Remove obsolete endpoint.Frederick Muriuki Muriithi
2024-06-17Fix linting errorsFrederick Muriuki Muriithi
2024-06-17Remove deprecated endpoint.Frederick Muriuki Muriithi
2024-06-17Retrieve complete list of a users roles on a particular resource.Frederick Muriuki Muriithi
2024-06-17Bug: use or's short-circuiting to prevent evaluation of statementsFrederick Muriuki Muriithi
Without the `or` later statements were being evaluated, before the final value was computed. This commit short-circuits that behaviour.
2024-06-17Fix linting errors.Frederick Muriuki Muriithi
2024-06-17Create a resource role.Frederick Muriuki Muriithi
2024-06-17Don't save the resource-owner role as a resource roleFrederick Muriuki Muriithi
The 'resource-owner' role is a system-default role that applies to most resources, but should not be editable by users. This commit removes the code that was linking the role with each resource, leading it to being presented to the user as a editable role.
2024-06-17Use the form's json attribute to retrieve sent dataFrederick Muriuki Muriithi
The system uses JSON as the default communication format, so we use the form's json attribute to get any data sent.
2024-06-11Fix typo.Frederick Muriuki Muriithi
2024-06-11Temporary fix to retrieve users with read access to resource.Frederick Muriuki Muriithi
2024-06-11List users assigned a particular role on a specific resource.handle-role-privilege-escalationFrederick Muriuki Muriithi
2024-06-11Import the symbols we use in the module directly.Frederick Muriuki Muriithi
Import the modules directly to help with reducing line-length and unnecessary typing.
2024-06-11Unassign privilege from resource role.Frederick Muriuki Muriithi
2024-06-10Improve error messaging.Frederick Muriuki Muriithi
2024-06-10Fetch a role by its ID.Frederick Muriuki Muriithi
2024-06-10Provide some endpoints for privileges.Frederick Muriuki Muriithi
2024-06-10Use new db resultset conversion functions.Frederick Muriuki Muriithi
2024-06-10Provide functions to convert DB rows into data objects.Frederick Muriuki Muriithi
2024-06-10Provide resource roles endpointFrederick Muriuki Muriithi
Provide an endpoint that returns all the roles that a particular user has on a specific resource.
2024-06-10Share reusable functionFrederick Muriuki Muriithi
2024-06-07Replace `…/group/roles` endpoint with `…/resource/…/roles` endpoint.Frederick Muriuki Muriithi
The `…/group/roles` endpoint relied on the now deleted `group_roles` table that caused the implementation to be prone to privilege escalation attacks. This commit provides the `…/resource/…/roles` endpoint that provides the required functionality without the exposure.
2024-06-07Update role assignment: user resource_roles tableFrederick Muriuki Muriithi
We no longer use the group_roles table, and have moved to the less privilege-escalation-prone resource_roles table. This commit updates the queries to use the newer resource_roles table.
2024-06-06Add deprecation warning to /group-privileges endpoint function.Frederick Muriuki Muriithi
2024-06-05Bug: Point to correct key to avoid errorsFrederick Muriuki Muriithi
2024-06-04Approximate the GN2 look-and-feel.Frederick Muriuki Muriithi
2024-06-04Redirect appropriately when verifying emails.Frederick Muriuki Muriithi
2024-06-03Raise explicit error messages for more graceful handling.enable-sending-emailsFrederick Muriuki Muriithi
2024-06-03Handle unverified emailsFrederick Muriuki Muriithi
If a user provides the correct credentials to login, but they are unverified, redirect them to the email verification page, where they are provided with a chance to verify their email, or send a new verification code.
2024-06-03Provide endpoint for verification and do verificationFrederick Muriuki Muriithi
2024-06-03Send verification email on registration.Frederick Muriuki Muriithi
2024-06-03Use asdict(...)Frederick Muriuki Muriithi
Use dataclasses.asdict function to generate the dict that will be used for the response rather than building it up manually.
2024-06-03Move user creation from db resultset into static methodFrederick Muriuki Muriithi
Creation of a User object from the database resultset will mostly be the same. This commit moves the repetitive code into a static method that can be called wherever we need it. This improves maintainability, since we only ever need to do an update in one place now.
2024-06-03Save the creation date and verification status.Frederick Muriuki Muriithi
2024-05-29Remove unused import.Frederick Muriuki Muriithi
2024-05-29Revert "jwt: add user roles to the jwt token."Frederick Muriuki Muriithi
This reverts commit 0582565fa7db4b95e86fb0dde8d83e3170e566a7. Adding the user roles to the token makes the token ridiculously large. Rather than doing that, we'll use an endpoint on the auth server to get the user roles and privileges instead.