Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application passwords CLI commands #1743

Merged
merged 23 commits into from
Jun 8, 2021
Merged

Application passwords CLI commands #1743

merged 23 commits into from
Jun 8, 2021

Conversation

gmgigi96
Copy link
Member

@gmgigi96 gmgigi96 commented May 28, 2021
edited
Loading

Related to #1719

This PR add the commands token-list, token-remove and token-create to manage the application passwords.

>> token-create -share bvqoPVphGpchsDd:r -label share-home -expiration 2021-05-29
+------------------+-------------------------------------+------------+--------------------------------+--------------------------------+--------------------------------+
| TOKEN            | SCOPE                               | LABEL      | EXPIRATION                     | CREATION TIME                  | LAST USED TIME                 |
+------------------+-------------------------------------+------------+--------------------------------+--------------------------------+--------------------------------+
| 074136IMU2yRGnY5 | share:"bvqoPVphGpchsDd" ROLE_VIEWER | share-home | 2021-05-29 02:00:00 +0200 CEST | 2021-05-28 18:28:55 +0200 CEST | 2021-05-28 18:28:55 +0200 CEST |
+------------------+-------------------------------------+------------+--------------------------------+--------------------------------+--------------------------------+

Multiple share and path options are possible:

>> token-create -path /home:r -path /home/M:r -share CgAeSOEDmGeBrpc:w -label new
+------------------+-------------------------------------------------------------------------------------------+-------+------------+--------------------------------+--------------------------------+
| TOKEN            | SCOPE                                                                                     | LABEL | EXPIRATION | CREATION TIME                  | LAST USED TIME                 |
+------------------+-------------------------------------------------------------------------------------------+-------+------------+--------------------------------+--------------------------------+
| I9J0bU7geBK28351 | path:"/home" ROLE_VIEWER, path:"/home/M" ROLE_VIEWER, share:"CgAeSOEDmGeBrpc" ROLE_EDITOR | new   |            | 2021-05-28 19:24:12 +0200 CEST | 2021-05-28 19:24:12 +0200 CEST |
+------------------+-------------------------------------------------------------------------------------------+-------+------------+--------------------------------+--------------------------------+

>> token-list
+--------------------------------------------------------------+------------+-------------------------------------+--------------------------------+
| TOKEN                                                        | LABEL      | SCOPE                               | EXPIRATION                     |
+--------------------------------------------------------------+------------+-------------------------------------+--------------------------------+
| $2a$11$qidTRIgv7RQKqX3RAm/pXOdK7SSWm.LKYyK124Jmv1ROhbS5vXrGy | share-home | share:"bvqoPVphGpchsDd" ROLE_VIEWER | 2021-05-29 02:00:00 +0200 CEST |
+--------------------------------------------------------------+------------+-------------------------------------+--------------------------------+

(token-list also support some flags to filter the output list, like show only expired, show all, filter by label, as well as long and short print)

>> token-remove $2a$11$qidTRIgv7RQKqX3RAm/pXOdK7SSWm.LKYyK124Jmv1ROhbS5vXrGy
>>

Example:

>> app-tokens-create -path /home/einstein:r
+------------------+-----------------------------------+-------+------------+--------------------------------+--------------------------------+
| TOKEN            | SCOPE                             | LABEL | EXPIRATION | CREATION TIME                  | LAST USED TIME                 |
+------------------+-----------------------------------+-------+------------+--------------------------------+--------------------------------+
| 4qS72Uv0a1J5r96O | path:"/home/einstein" ROLE_VIEWER |       |            | 2021-06-07 15:45:38 +0200 CEST | 2021-06-07 15:45:38 +0200 CEST |
+------------------+-----------------------------------+-------+------------+--------------------------------+--------------------------------+

>> login appauth
username: einstein
password: OK                          <--------- 4qS72Uv0a1J5r96O
>> stat /home
error: code=CODE_INTERNAL msg="gateway: stat ref: path:\"/home\" :gateway: error calling GetStorageProvider: rpc error: code = Unauthenticated desc = auth: core access token is invalid" support_trace="ba1b230c8de7db599a7b2ac080417039"
>> stat /home/einstein
type:RESOURCE_TYPE_CONTAINER id:<storage_id:"123e4567-e89b-12d3-a456-426655440000" opaque_id:"fileid-einstein%2Feinstein" > etag:"\"eb4168a24da50c8aec35b1a7795d50e2\"" mime_type:"httpd/unix-directory" mtime:<seconds:1623073363 > path:"/home/einstein" permission_set:<add_grant:true create_container:true delete:true get_path:true get_quota:true initiate_file_download:true initiate_file_upload:true list_grants:true list_container:true list_file_versions:true list_recycle:true move:true remove_grant:true purge_recycle:true restore_file_version:true restore_recycle_item:true stat:true update_grant:true > owner:<idp:"localhost:20080" opaque_id:"4c510ada-c86b-4815-8820-42cdf82c3d51" > arbitrary_metadata:<>

>> app-tokens-remove $2a$11$VZ5.0tMI9hTB8oSbOfovE.gRp35Q4y9wKkX8qJmE7d/sNBKs6eWYa
OK

>> login appauth
username: einstein
password: error: code=CODE_UNAUTHENTICATED msg="error authenticating user" support_trace="238db9418f10b5a4da632cd6b6c310a9"

@gmgigi96 gmgigi96 requested a review from labkode as a code owner May 28, 2021 12:39
@gmgigi96
Copy link
Member Author

@ishank011

ishank011
ishank011 reviewed May 31, 2021
View reviewed changes
Copy link
Contributor

@ishank011 ishank011 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @gmgigi96. I added a few comments

cmd/reva/app-tokens-create.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-create.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-create.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-create.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-list.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-list.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-create.go Outdated Show resolved Hide resolved
cmd/reva/app-tokens-remove.go Show resolved Hide resolved
pkg/auth/scope/scope.go Outdated Show resolved Hide resolved
pkg/appauth/manager/json/json.go Show resolved Hide resolved
@ishank011
Copy link
Contributor

Can you also add the usage of these generated passwords in the description? You'll have to start the appauth auth driver and update the registry rules like this https://github.com/cs3org/reva/blob/master/examples/storage-references/gateway.toml#L18 https://github.com/cs3org/reva/blob/master/examples/storage-references/storage-public.toml#L11-L15

@gmgigi96
Copy link
Member Author

Can you also add the usage of these generated passwords in the description? You'll have to start the appauth auth driver and update the registry rules like this https://github.com/cs3org/reva/blob/master/examples/storage-references/gateway.toml#L18 https://github.com/cs3org/reva/blob/master/examples/storage-references/storage-public.toml#L11-L15

Updated, let me know if it is ok

ishank011
ishank011 previously approved these changes Jun 4, 2021
View reviewed changes
@ishank011
Copy link
Contributor

@gmgigi96 looks good. But I meant that you could use the created password and show that it can only be used to access the resources present in the scope. For example

>> login appauth
>> stat /path/in/scope // Should proceed
>> stat /path/not/allowed // Should return permission denied

Also, can you add a new toml file to examples/storage-references with appauth auth? I'll merge it then

@gmgigi96
Copy link
Member Author

gmgigi96 commented Jun 4, 2021

@gmgigi96 looks good. But I meant that you could use the created password and show that it can only be used to access the resources present in the scope. For example

>> login appauth
>> stat /path/in/scope // Should proceed
>> stat /path/not/allowed // Should return permission denied

Also, can you add a new toml file to examples/storage-references with appauth auth? I'll merge it then

Thanks @ishank011, I will make the changes this afternoon

@ishank011 ishank011 merged commit 52e7228 into cs3org:master Jun 8, 2021
ishank011 pushed a commit to cernbox/reva that referenced this pull request Jun 8, 2021
@gmgigi96 @ishank011
Application passwords CLI commands (cs3org#1743)
dadf89d
@ishank011 ishank011 mentioned this pull request Jul 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ishank011 ishank011 ishank011 approved these changes

@labkode labkode Awaiting requested review from labkode

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gmgigi96 @ishank011