search

omec-project / webconsole

3 stars 12 forks source link

feat: implement authentication and authorization #217

Closed patriciareinoso closed 3 weeks ago

patriciareinoso commented 2 months ago

Description

Rationale

Webui is the upstream component offering an API to configure the 5G core network in SD-Core. However, Webui does not support any authentication mechanism which makes it accessible to everyone, threatening the product security.

The PR

This PR also:

The Feature

The following endpoints were added:

GET /config/v1/account POST /config/v1/account GET /config/v1/account/:username DELETE /config/v1/account/:username POST /config/v1/account/{username}/change_password POST /login GET /status

There are 2 types of users (roles): AdminRole and UserRole. Authorization is implemented based on these 2 roles.

The AdminRole user cannot be deleted.

Usage

To enable this feature, add the following to the config file.

configuration:
  enableAuthentication: true
  mongodb:
    . . . 
    webuiDbName: <name>
    webuiDbUrl: <url>

In order to perform any operation over the webui, the user must have logged in. The creation of the first user does not need authentication. The first user will has AdminRole user by default.

Create User

curl -v "localhost:5000/config/v1/account" \
--header 'Content-Type: application/json' \
--data '{
 "username": "adminUser",
 "password": "Admin123"
}'

Log in

curl -v "localhost:5000/login" \
--header 'Content-Type: application/json' \
--data '{
  "username": "adminUser",
  "password": "Admin123"
}'

This operation returns a token that must be used on the following requests.

{"token":"eyJhbG123aad1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluVXNlciIsInBlcm1pc3Npb25zIjoxLCJleHAiOjE3MjY1ODIyNTZ9.YU6tveV3oXcfGMvqB7xIcP1Fs6c6ZZoP134Y8ozV4lA"}

Get Users

curl -v -H "Authorization: Bearer <token>" "localhost:5000/config/v1/account" 
[{"username":"adminUser","role":1}]

Get User

curl -v -H "Authorization: Bearer <token>" "localhost:5000/config/v1/account/<username>" 
{"username":"adminUser","role":1}

Change Password

curl -v -H "Authorization: Bearer <token>" "localhost:5000/config/v1/account/<username>/change_password" \
--header 'Content-Type: application/json' \
--data '{
  "password": "NewPassword123"
}'

Delete User

curl -v -H "Authorization: Bearer <token>" -X DELETE  "localhost:5000/v1/config/account/<username>"

Get Status

curl -v "localhost:5000/status"

This operation does not need token, it indicates whether the first user was successfully created.

{"initialized":false}

or

{"initialized":true}
patriciareinoso commented 2 months ago

@gab-arrobo @thakurajayL can you take a look?

gab-arrobo commented 1 month ago

@patriciareinoso can you please ask one of your colleagues to give a first review? I am currently pretty busy with other stuff and if one of your colleagues reviews it, I can give it a "light" review, ok? :-)

thakurajayL commented 1 month ago

Shall review changes in a day or 2 .

thakurajayL commented 1 month ago

Could you please raise PR for config in the default helm chart? with default config option. It will help in making sure feature is known to community.

thakurajayL commented 1 month ago

Could you please add a details in readme file as well. This will help community users whoever wants to enable & use this feature. Whatever details you have provided in the PR can be used in the readme. thanks.

gatici commented 1 month ago

The PR description says that password is not required during account creation. However, implementation requires password for account creation.

patriciareinoso commented 1 month ago

@thakurajayL @gab-arrobo this PR is ready for review again

gab-arrobo commented 3 weeks ago

@patriciareinoso, if you need to create a release, feel free to make a change in the VERSION file as part of this PR, or you can open another PR for that.

gruyaume commented 3 weeks ago

@patriciareinoso, if you need to create a release, feel free to make a change in the VERSION file as part of this PR, or you can open another PR for that.

@patriciareinoso let's add the version change part of this PR please. I'll be discussing this change Tomorrow and it would be awesome if it was merged at that point.

gatici commented 3 weeks ago

@patriciareinoso, if you need to create a release, feel free to make a change in the VERSION file as part of this PR, or you can open another PR for that.

@patriciareinoso let's add the version change part of this PR please. I'll be discussing this change Tomorrow and it would be awesome if it was merged at that point.

@gruyaume she is off today. After merging this, we need to create a new PR.

gruyaume commented 3 weeks ago

After merging this, we need to create a new PR.

I didn't know she was off, my bad.

Why create a separate PR for the version change? Let's wait for her to come back and do add the requested copyright changes and add the version file.

gatici commented 3 weeks ago

21 Eki 2024 Pzt, saat 16:08 tarihinde Guillaume Belanger < @.***> şunu yazdı:

After merging this, we need to create a new PR.

I didn't know she was off, my bad.

Why create a separate PR for the version change? Let's wait for her to come back and do add the requested copyright changes and add the version file.

Of course we do not need a new PR, if we wait for her.

— Reply to this email directly, view it on GitHub https://github.com/omec-project/webconsole/pull/217#issuecomment-2426629979, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFLNJJO5L3MLORWVK6CDRRTZ4T4C7AVCNFSM6AAAAABOBDNV4WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMRWGYZDSOJXHE . You are receiving this because you commented.Message ID: @.***>