Epic/Authentication & Authorization

faraonc commented 5 years ago

Objective

The Chrome user has to be authenticated within hwsc cluster.

Purpose

For every single request within a cluster a token is passed for authorization.

Prerequisites

gRPC with Basic Auth/Token guideline
Further research is needed to perform the required Token tasks. See TODO at the bottom
User password are encrypted twice, browser to app-gateway-svc and user-svc to DB
States
- AUTHENTICATED - Chrome is connected to app-gateway-svc, but not authorized
- DISCONNECTED - Chrome is disconnected to app-gateway-svc
- AUTHORIZED - Chrome is connected and authorized to app-gateway-svc
  Procedure
  1. Chrome goes to login page - DISCONNECTED
  2. Chrome logins with email and password using basic auth GRPC dial - DISCONNECTED
  3. app-gateway-svc parses the header - DISCONNECTED
  4. app-gateway-svc calls AuthenticateUser from the user-svc - DISCONNECTED
  5. If the email and password are:
- valid - then return the User without password + code.Ok - DISCONNECTED
- invalid - then return code.Unauthenticated - DISCONNECTED
  1. If AuthenticaUser returns code.Unauthenticated to app-gateway-svc: a. app-gateway-svc returns code.Unauthenticated to Chrome - DISCONNECTED b. Chrome renders failed login - DISCONNECTED
  2. If AuthenticateUser returns code.Ok + Identification to app-gateway-svc, then app-gateway-svc return code.Ok + token_string as metadata in the context to Chrome - AUTHENTICATED
  3. In order to be AUTHORIZED, Chrome has to call GetAuthToken from app-gateway-svc or parse the token_string from the context's metadata.
- token string is defined below this document
- User that is not AUTHORIZED cannot perform RPC calls, therefore this has to be called immediately after GRPC dial
  1. If Chrome calls GetAuthToken from app-gateway-svc with email and password -AUTHENTICATED
  2. app-gateway-svc calls GetAuthToken from user-svc - AUTHENTICATED
  3. user-svc validates from the DB. - AUTHENTICATED
  4. If the email and password are invalid: a. user-svc returns code.Unauthenticated to app-gateway-svc - AUTHENTICATED b. app-gateway-svc returns code.Unauthenticated to Chrome - AUTHENTICATED c. Chrome renders failed login - AUTHENTICATED
  5. If the email and password are valid, then user-svc generates and returns Identification, to `app-gateway-svc - AUTHORIZED
- Identification contains a Secret and token string
- user-svc encodes the token string using hwsc-lib NewToken
- token string expires in 2 hours
- user-svc has to record everything in a DB
  1. app-gateway-svc returns the token string to Chrome - AUTHORIZED
  2. Chrome and services exchange this token_string to authorized the actor or user - AUTHORIZED
  3. Services would use hwsc-lib to decode and validate the token string, and if it is invalid would return code.Unauthenticated ~(remember that the secret key also expires)~ - AUTHORIZED
  4. Services checks if the token string is not expired using hwsc-lib- AUTHORIZED
  5. Chrome checks if the token string is about to expire within 15 minutes, and calls GetToken from app-gateway-svc to get a new token. AUTHORIZED
  6. If the token string has expired, Chrome redirects to login page. DISCONNECTED
  7. if the token string is valid, services provide the appropriate RPC- AUTHORIZED
  8. In the event that Chrome loses connection, Chrome should redial using token auth GRPC dial to app-gateway-svc with token_string from the Token - DISCONNECTED
  9. app-gateway-svc calls VerifyToken from user-svc - DISCONNECTED
  10. user-svc verifies the token string from DB - DISCONNECTED
  11. If the token_string is:
- invalid then:
  - a. user-svc returns code.Unauthenticated toapp-gateway-svc` - DISCONNECTED
  - b . app-gateway-svc returns code.Unauthenticated to Chrome - DISCONNECTED
  - c. Chrome redirects to login page - DISCONNECTED
- valid, user-svc returns Identification + code.Ok to app-gateway-svc AUTHORIZED
  1. ~If the Secret has expired, a new Token is required (THIS IS DIFFICULT)~
    token string, Identification
Not using third party library for generating Token
Feel free to use this repo as reference on how to implement our codes
Building your own https://www.codementor.io/murphyisiwele/build-a-jwt-library-in-golang-ev6qmbbyh
token string is exchanged by Chrome and app-gateway-svc
a struct Secret contains string key and created_timestamp
a struct Identification contains struct Secret and token string
Identification is utilized in the requests for user-svc, document-svc, and file-transaction-svc
Identification is also returned in the response of user-svc to app-gateway-svc
token string expires in 2 hours
token string has 3 levels permission (feel free to add more)
- `NO_PERM
- USER - can only perform CRUD on his/her own page
- ADMIN - can perform CRUD with on any user's page
algorithm used to hash the token_string are the following:
- HS256
- HS512
encoding supported at the moment is JWT An example AUTHORIZED token will look like the following: Changed from:

"eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiMTIzNDU2Nzg5MCIsInBlcm1pc3Npb24iOiJUb2tlbi5BRE1JTiIsImV4cGlyYXRpb25fdGltZSI6MTU0OTA5MzkxMH0.OZFQ_zU1F2BJm6kyYzsBns5qmOxbVbUnQV2SU1B_kyPfXPOmUd0fddRvF0I3IqaDz-55H7Q80w8zQyldMQ7AAg"

A struct called Secret that contains the secret key as a string, and created date. and expiration date timestamp is required to generate a new secret key every week on Monday 3am ~EST~ UTC.
The Identification will be defined in the api-blocks as a message
user-svc has to provide GetAuthToken, VerifyAuthToken, GetSecret, MakeNewSecret
app-gateway-svc has to implement BasicAuth and TokenAuth, and to provide GetAuthToken

kimlisa commented 5 years ago

5. If the email and password are:

valid - then return the User without password + code.Ok - DISCONNECTED

8. In order to be AUTHORIZED, Chrome has to call GetToken from app-gateway-svc.

Why doesn't authenticateUser in user-svc also return the Token after valid credentials?

kimlisa commented 5 years ago

I guess I am not understanding why we need both authenticated and authorized states.

I also don't understand why we need to look up email and password twice, once for authentication, and again soon after just to get the token.

kimlisa commented 5 years ago

User password are encrypted twice, browser to app-gateway-svc and user-svc to DB

Are we now encrypting password? Not hashing? Because even with hashing in browser, if hacker gets access to the hash from the browser, they essentially have the password.

faraonc commented 5 years ago

If the email and password are:

valid - then return the User without password + code.Ok - DISCONNECTED

In order to be AUTHORIZED, Chrome has to call GetToken from app-gateway-svc.

Why doesn't authenticateUser in user-svc also return the Token after valid credentials?

Chrome dials to app-gateway-svc first using the following which I believe is not able to return a custom type such as a Token: (convert this to Typescript)

conn, err := grpc.DialContext(ctx, net.JoinHostPort(addr, port),
    grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(insecure.CertPool, "")),
    grpc.WithPerRPCCredentials(basicAuth{
        username: username,
        password: password,
    }),
)

faraonc commented 5 years ago

I guess I am not understanding why we need both authenticated and authorized states.

I also don't understand why we need to look up email and password twice, once for authentication, and again soon after just to get the token.

Because app-gateway-svc does not know who is the client after dialing, so we need to authorize again just to get a token. This time we are not using a built-in GRPC function but our own implementations which can return a Token.

faraonc commented 5 years ago

User password are encrypted twice, browser to app-gateway-svc and user-svc to DB

Are we now encrypting password? Not hashing? Because even with hashing in browser, if hacker gets access to the hash from the browser, they essentially have the password.

We are using https://godoc.org/golang.org/x/crypto/bcrypt which I believe is a form of encryption. Your implementation is acceptable.

faraonc commented 5 years ago

I am changing the Token into

{
  "header": {"Alg": “HS256”,"Typ":  “JWT”}
  "payload": {"uuid": "1234567890", "permission": "ADMIN","expiration_time": 1549093910} 
  "signature" : "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiMTIzNDU2Nzg5MCIsInBlcm1pc3Npb24iOiJUb2tlbi5BRE1JTiIsImV4cGlyYXRpb25fdGltZSI6MTU0OTA5MzkxMH0.OZFQ_zU1F2BJm6kyYzsBns5qmOxbVbUnQV2SU1B_kyPfXPOmUd0fddRvF0I3IqaDz-55H7Q80w8zQyldMQ7AAg"
}

faraonc commented 5 years ago

I am changing the Token into

{
  "header": {"Alg": “HS256”,"Typ":  “JWT”}
  "payload": {"uuid": "1234567890", "permission": "ADMIN","expiration_time": 1549093910} 
  "signature" : "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiMTIzNDU2Nzg5MCIsInBlcm1pc3Npb24iOiJUb2tlbi5BRE1JTiIsImV4cGlyYXRpb25fdGltZSI6MTU0OTA5MzkxMH0.OZFQ_zU1F2BJm6kyYzsBns5qmOxbVbUnQV2SU1B_kyPfXPOmUd0fddRvF0I3IqaDz-55H7Q80w8zQyldMQ7AAg"
}

We decided not to do this

faraonc commented 5 years ago

Updated:

- `user-svc` has to provide `GetAuthToken`, `VerifyAuthToken`, `GetSecret`, `MakeNewSecret`
- `app-gateway-svc` has to implement `BasicAuth` and `TokenAuth`, and to provide `GetAuthToken`

hwsc-org / hwsc-app-gateway-svc