Security - sosik/registries GitHub Wiki

This document describes base security concept used in registries.

User

In registries project are all entities organized in registries (tables). Security model can use any (configurable parameter) registry as base registry for definition of system users. Any user intended to act as operator (can do any non-public operations) has to have permission System User.

Security structures

All security related information assigned to registry entity are defined in systemCredentials property. This property is strictly reserved for security management and should be never used in publicly accessible schema.

Permissions

Permissions are assignable directly to user. Base permission distinguishing common public user and system user is permission System User.
Permissions are defined as part of systemCredentials property in its own property permissions. Each permission is defined as own property:

"systemCredential": {
  "type": "object",
  "properties": {
    "permissions": {
      "type": "object",
      "properties": {
        "System User": {
          "title": "Systémový používateľ",
          "type": "boolean"
        },
        "Registry - read": {
          "title": "Zobrazenie dát registrov",
          "type": boolean"
        },
        "Registry - write": {
          "title": "Modifikácia dát registrov",
          "type": boolean"
        }
        ...
      }
    }
  }
}

Groups

System users can be members of security group. Membership in security group is defined in systemCredentials property in its own property groups.

"systemCredential": {
  "type": "object",
  "properties": {
    "groups": {
      "type": "array",
      "items": {
        "type": "object",
        "properties" {
          "registry": "string",
          "id": "string"
        }
      }
    }
  }
}

where group name is particular group name.

Groups are organized in tree structure. Each group can have none or exactly one parent group. Groups are defined in special registry.

Prihlásenie do aplikácie

Prihlásenie do aplikácie prebieha zadaním používateľského mena a hesla. Používateľské meno a heslo sú uložené podľa schémy:

"systemCredential": {
  "type": "object",
  "properties": {
    "login": {
      "type": "object",
      "properties": {
        "loginName": {
          "title": "Prihlasovacie meno",
          "type": "string"
        },
        "passwordHash": {
          "title": "Hash hesla",
          "description": ""
          "type": "string"
        },
        "salt": {
          "title": "Salt pre hash hesla",
          "description": ""
          "type": "string"
        }
      }
    }
  }
}

Hash hesla sa počíta:

crypto.randomBytes(64, function(err, buf) {
  if err ...
  crypto.pbkdf2(password, buf.toString('base64'), 1000, 256, function(err, passwordHash) {
    if err ...
    ...store...
  })
})

Hash pre bezpečnostný token sa definuje ako uuid+IP+loginName

Proces prihlásenia

  • používateľ zadá do okna meno a heslo
  • server overí hash
  • vygeneruje security token a tento token sa pošle späť používateľovi ako koláčik securityToken a koláčik loginName
  • do DB sa uloží loginName, IP, aktuálny čas a securityToken, valid

Proces overenia prihlásenia

  • používateľ urobí request na server, v ktorom posiela aj koláčiky securityToken a loginName
  • server overí existenciu záznamu v logoch prihlásenia: WHERE loginName=:loginName and securityToken=:securityToken and IP=:IP and čas < aktuálny čas - 15 minút and valid=true
  • Ak takýto záznam neexistuje, access denied
  • Ak existuje, v DB sa updatuje záznam loginName, IP, aktuálny čas a securityToken a valid

Proces odhlásenia

  • používateľ klikne na akciu odhlásiť
  • server overí prihlásenia a následne pre záznam loginName, IP, aktuálny čas a securityToken nastaví valid na false
  • zmažú sa koláčiky