{ "info": { "author": "", "author_email": "", "bugtrack_url": null, "classifiers": [], "description": "maurus.networks Authentication server\n=====================================\n\nThis is a Python Django based server application that provides single sign-on\nservices for my own setup. It has OAuth2 endpoints and for applications\nthat don't support any of these: a SQL stored procedure database abstraction.\n\nAs a second application it provides *dkimsigner*, a daemon that speaks SMTP and\nreceives mail, then forwards it to another SMTP port after signing it with a\nDKIM key from its database.\n\nThe third included application is *mailforwarder*. As OpenSMTPD 6.x does not\noffer a stable filter API and `my OpenSMTPD setup`_ already `relies on\n`__ the \"stored procedure API\", *mailforwarder* provides\na daemon speaking SMTP that resolves domains and email-addresses in\n*authserver's* database and can then forward email to one-or-more other\nemail addresses. Basically a ``.forward`` or ``.qmail`` implementation based on\nauthserver's database schema as a Python daemon.\n\nIt also provides Django ``manage.py`` commands for registering OAuth2\napplications, users, domains and Docker registries. Those are useful for\ncreating configuration entries through configuration management systems.\n\nIt also includes an implementation of the\n`Docker Token Authentication protocol `__ and can therefore be\nused to secure Docker registries for push and pull with SSO credentials. The\nincluded ``manage.py`` command: ``manage.py dockerauth registry add ...``\nallows script based setup.\n\nFinally, it includes a ``checkpassword`` compatible client application that can\nbe used to integrate Apache2 ``mod_authnz_external`` or DJB checkpassword\ncompatible clients with authserver.\n\nUsers can use the admin interface to create \"service users\" which are specific\naliases for user accounts that can be used with applications that don't support\nOAuth2 so users don't have to share their passwords with the service\n(equivalent to the same feature on Google Gmail).\n\nPlanned features\n----------------\n* OAuth2 applications can use a SSL client certificate to authenticate for a\n non-standard HTTP API to register as an OAuth2 client and get their OAuth2\n credentials, cutting down on manual configuration.\n\n* OpenID Connect support\n\n* Service-specific username and passwords for systems that don't support\n OAuth2/OIDC\n\n* CAS support through ``mama-cas``\n\n* add Google Authenticator support via ``django-otp``\n\n\nInstallation\n------------\nThere is no widely available Docker container available yet, but you can install\nfrom this repository:\n\n.. code-block:: shell\n\n $ virtualenv -p python3 authserver\n $ authserver/bin/pip install net.maurus.authserver\n\n\nOr for Debian 9.0 Stretch:\n\n.. code-block:: shell\n\n $ echo \"deb http://repo.maurus.net/release/stretch mn-release main\" >> /etc/apt/sources.list.d/maurusnet.list\n $ apt update\n $ apt install authserver authclient\n\n\nAPPCONFIG FOLDER\n----------------\nThis application uses `12factor <12factor_>`__ and in its systemd configuration\nloads its configuration from a `appconfig folder `__.\n\nCanonical reserved configuration folders for this app:\n\n* **/etc/appconfig/authserver**\n* **/etc/appconfig/dkimsigner**\n* **/etc/appconfig/mailforwarder**\n\nRun ``django-admin.py`` like this:\n\n.. code-block:: shell\n\n bin/envdir /etc/appconfig/authserver/env bin/django-admin.py [command]\n --settings=authserver.settings\n\n\n12factor Environment configuration\n----------------------------------\n\nManaged configuration\n+++++++++++++++++++++\nThese environment variables must be placed in the appconfig folder manually (or\nthrough configuration management). You can just leave ``VAULT_*`` empty and set\n``DATABASE_URL`` if you're not planning on using Vault.\n\n==================== ========================================================\nVariable Description\n==================== ========================================================\nVAULT_CA Pinned CA to use to validate that we're talking to the\n right Vault.\nVAULT_DATABASE_PATH The key path to read from Vault to get database\n credentials for a full access role.\nDATABASE_PARENTROLE The role that authserver should \"sudo\" into (via\n ``SET ROLE``) after connecting to the database, i.e. the\n primary access role (only used with Vault).\nDATABASE_NAME The name of the database to connect to (only used with\n Vault).\nDATABASE_URL When client SSL certificates or usernames and passwords\n are used to connect to the database instead of Vault,\n then this URL (parsed by dj-database-url) is used to\n connect (only used without Vault).\n==================== ========================================================\n\n\nSmartstack services\n-------------------\nThis application relies on the following smartstack services being available\non localhost:\n\n==== =========== ================\nPort Service SSL Hostname\n==== =========== ================\n5432 PostgreSQL postgresql.local\n8200 Vault vault.local\n==== =========== ================\n\n\nSmartstack registration and loadbalancing\n-----------------------------------------\n\n\nBuilding\n========\n\nBuild script\n------------\nThis application is meant to be built using `GoPythonGo `__.\n\n.. code-block:: shell\n\n export REPO=maurusnet\n export APTLY_DISTRIBUTION=mn-nightly\n export APTLY_PUBLISH_ENDPOINT=s3:maurusnet:nightly/stretch\n export GNUPGHOME=/etc/gpg-managed-keyring/\n export VAULTWRAPPER_READ_PATH=secret/gpg/packaging_passphrase\n /opt/gopythongo/bin/gopythongo -v /usr/local/authserver /path/to/source\n\n\nAccess methods\n==============\n\nThere are multiple ways to authenticate user accounts against this program.\nOffered APIs include OAuth2, CAS and a \"if nothing else works\" abstraction\nlayer for direct user database access based on stored procedures.\n\nStored Procedure API\n--------------------\nSince some applications (like OpenSMTPD and Dovecot) which are used by\n`my saltshaker `__ need lowest common denominator\nauthentication, authserver includes a pgplsql stored procedure API tailored to\nOpenSMTPD to validate user accounts.\n\n== =================================== =====================================\nN Function Name Description\n== =================================== =====================================\n1 ``authserver_get_credentials( Gets a username password pair for the\n varchar)`` provided email address together with\n the primary delivery email address.\n (Users can log in with every email\n alias and their account password.)\n2 ``authserver_check_domain( Checks whether the passed domain is a\n varchar)`` valid delivery domain.\n3 ``authserver_resolve_alias(varchar, Resolves email addresses to known\n boolean)`` ``MNUser`` or ``MailingList``\n instances. Resolving a primary\n delivery address will return the\n \"magic\" value \"virtmail\" pointing to\n the system user normally handling\n email delivery if the boolean\n parameter is ``true``. If the boolean\n parameter is ``false`` it will return\n the primary delivery address again. If\n the resolved address is a\n ``MailingList`` it will return the\n input unchanged.\n4 ``authserver_iterate_users()`` Returns a list of all valid delivery\n mailboxes.\n== =================================== =====================================\n\nAccess to the stored procedure API is managed by the ``django-admin.py spapi``\ncommand which allows you to ``grant`` access to database users, ``install`` the\nstored procedures on the database and ``check`` whether the stored procedures\nhave been installed or if a specific database user has ``execute`` access to\nthe stored procedures. For more information, please run:\n\n.. code-block:: shell\n\n /usr/local/authserver/bin/envdir /etc/appconfig/authserver/env/ \\\n /usr/local/authserver/bin/django-admin.py spapi --help\n\n\nOAuth2\n------\nauthserver delivers OAuth2 support over the following endpoints:\n\n* ``/o2/authorize/``\n* ``/o2/token/``\n* ``/o2/revoke_token/``\n\nYou can create client applications and authorization scopes via the Django\nadmin interface or ``manage.py oauth2|permissions`` and assign scopes to users\nand groups respectively. The authorization view will list the scopes for the\nuser to approve unless automatic authorization is turned on for the OAuth2\nclient.\n\n\nDocker Auth\n-----------\nauthserver supports Docker-compatible JWTs using the \"resource owner\" OAuth2\nflow via ``docker login`` at ``https://your.authserver.domain/docker/token/``.\nYou can generally just use ``docker login https://your.authserver.domain/`` and\ncreate Docker registry instances and access rights to namespaces on that\nregistry via the Django admin interface or the ``manage.py dockerauth``\ncommand.\n\n\nPropietary endpoints and mod_authnz_external\n--------------------------------------------\nThe ``checkpassword.py`` command-line script, also shipped in the\n``authclient`` Debian package is compatible with djb checkpassword and Apache2\nmod_authnz_external. It uses two proprietary API endpoints:\n\n* ``/checkpassword/`` which takes a username and optionally a list of\n scopes and password (for something akin to the \"resource owner\" OAuth2 flow)\n and issues a JWT that has the user's assigned scopes and validates the\n password (if transmitted).\n\n* ``/getkey/`` exports a RSA public key for a domain registered with authserver\n to allow a client to validate an issued JWT.\n\nYou should prefer OAuth2 where possible as this solution will bring the client\ninto possession of the user's password. However, if you trust the client this\nis an alternative solution. Obviously it's also an easy way to integrate legacy\nsystems.\n\n``checkpassword.py`` can operate in 5 modes:\n\n* ``-m init`` uses the getkey API to load a RSA public key for the authserver's\n domain and output it to stdout or into a file.\n* ``-m check`` behaves like ``init`` but makes no changes, it's useful to check\n whether a domain has a JWT key to export or that key is readable to\n checkpassword on the file system.\n* ``-m authext`` and ``-m checkpassword`` read username and password from stdin\n (either in the way specified by mod_authnz_external or djb checkpassword) and\n send them to the server to be validated. The program then either exits with\n exit code ``0`` (success), ``1`` if the auth domain is invalid, ``2`` if\n there are API connection problems and ``3`` for anything else.\n* ``-m authextgroup`` validates a list of scopes for a username. This does\n **not** validate the user's password. This is useful for\n mod_authnz_external's ``GroupExternal`` configuration, but you must\n additionally authenticate the user.\n\nThe API endpoints respond with a JSON Web Token (JWT) with the following\nclaims:\n\n.. code-block:: json\n\n {\n \"sub\": \"the provided username\"\n \"canonical_username\": \"the user's delivery_mailbox name\"\n \"authenticated\": true or false depending on the status of the password check\n \"authorized\": true or false depending on whether the user has all submitted scopes,\n \"scopes\": [\"a list of\", \"all the scopes\", \"assigned to this user\"],\n \"nbf\": int(Unix Epoch timestamp of now minus 5 seconds),\n \"exp\": int(Unix Epoch timestamp of now plus 3600 seconds),\n \"iss\": \"the auth domain name\",\n \"aud\": \"net.maurus.authclient\"\n }\n\n\nTODO\n====\n\n* refactor Vault fullaccess role into actually granting access to new tables\n\n\nLicensing\n=========\n\nPlease see the `LICENSE `__ document for the terms under which this\nsource code is licensed.\n\nThis program includes a copy of\n`django12factor `__ which is licensed under The MIT License\n(MIT) Copyright (c) 2013-2017 Kristian Glass.\n\nThis program includes a copy of\n`Select2 JavaScript library `__ which is licensed user the MIT\nLicense (MIT)\nCopyright (c) 2012-2017 Kevin Brown, Igor Vaynberg, and Select2 contributors\n\n\n.. _12factor: https://12factor.net/\n.. _appconfig:\n https://github.com/jdelic/saltshaker/blob/master/ETC_APPCONFIG.md\n.. _certified_builds:\n https://github.com/jdelic/saltshaker/blob/master/CERTIFIED_BUILDS.md\n.. _django12factor: https://github.com/doismellburning/django12factor/\n.. _dockerauth: https://docs.docker.com/registry/spec/auth/token/\n.. _gopythongo: https://github.com/gopythongo/gopythongo/\n.. _jdelics_saltshaker: https://github.com/jdelic/saltshaker/\n.. _my OpenSMTPD setup:\n https://github.com/jdelic/saltshaker/blob/master/srv/salt/opensmtpd/\n smtpd.jinja.conf\n.. _opensmtpd_spapi:\n https://github.com/jdelic/saltshaker/blob/master/srv/salt/opensmtpd/\n postgresql.table.jinja.conf\n.. _select2:\n https://github.com/select2/select2/\n\n\n", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "", "keywords": "", "license": "", "maintainer": "", "maintainer_email": "", "name": "net.maurus.authserver", "package_url": "https://pypi.org/project/net.maurus.authserver/", "platform": "", "project_url": "https://pypi.org/project/net.maurus.authserver/", "project_urls": null, "release_url": "https://pypi.org/project/net.maurus.authserver/0.1.77/", "requires_dist": [ "12factor-vault (==0.1.20)", "cryptography (==2.2.2)", "Django (==1.11.13)", "django-cors-headers (==2.2.0)", "django-dbconn-retry (==0.1.5)", "django-mama-cas (==2.3.0)", "django-oauth-toolkit (==1.1.2)", "django-postgresql-setrole (==1.0.10)", "django-ratelimit (==1.1.0)", "django-select2 (==5.11.1)", "envdir (==1.0.1)", "gunicorn (==19.8.1)", "hvac (==0.6.0)", "passlib (==1.7.1)", "psycopg2-binary (==2.7.4)", "pyjwt (==1.6.4)", "python-consul (==1.0.1)", "python-json-logger (==0.1.9)", "requests (==2.19.1)", "sqlparse (==0.2.4)", "typing (==3.6.4)", "whitenoise (==3.3.1)", "valimail-dkimpy (==0.7.1)", "authres (==1.1.0)", "python-daemon (==2.1.2)", "dj-database-url (==0.5.0)", "dj-email-url (==0.1.0)", "django-cache-url (==3.0.0)", "six (==1.11.0)", "pytz" ], "requires_python": "", "summary": "A Python 3 Django-based OAuth2/Docker Auth/JWT SSO server with additional mail routing.", "version": "0.1.77" }, "last_serial": 3970832, "releases": { "0.1.70": [ { "comment_text": "", "digests": { "md5": "641fa511f4b6d6de0afffcee7c9cb559", "sha256": "8d3441e6817b63438bbf9dd7cc1870a4d6140232c46528fae041a7ff9798e4f4" }, "downloads": -1, "filename": "net.maurus.authserver-0.1.70-py3-none-any.whl", "has_sig": false, "md5_digest": "641fa511f4b6d6de0afffcee7c9cb559", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 106319, "upload_time": "2018-04-23T13:26:18", "url": "https://files.pythonhosted.org/packages/a0/ae/3496d260d9a23806d3f17d7a728663de586a572d70a3124dca148db26549/net.maurus.authserver-0.1.70-py3-none-any.whl" } ], "0.1.75": [ { "comment_text": "", "digests": { "md5": "0e8bdadac9b84825f4e1dd579eb5b7ef", "sha256": "1fcf5da159170aa8e233dedd71bc89787619d615aae9d80c3c34c3ecb41442af" }, "downloads": -1, "filename": "net.maurus.authserver-0.1.75-py3-none-any.whl", "has_sig": false, "md5_digest": "0e8bdadac9b84825f4e1dd579eb5b7ef", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 122771, "upload_time": "2018-05-07T22:26:43", "url": "https://files.pythonhosted.org/packages/d4/29/c4a1427f839ea7eff24225b945f69449543c4c6ecc0aaa7bbbe9eb4b9c99/net.maurus.authserver-0.1.75-py3-none-any.whl" } ], "0.1.77": [ { "comment_text": "", "digests": { "md5": "dc15197b2393bd96a400fa710a47bead", "sha256": "0ab57d098605010319309766bb55eebef7964cf5a1b56e1a7f32ca8bfaefa7bc" }, "downloads": -1, "filename": "net.maurus.authserver-0.1.77-py3-none-any.whl", "has_sig": false, "md5_digest": "dc15197b2393bd96a400fa710a47bead", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 122795, "upload_time": "2018-06-17T11:12:48", "url": "https://files.pythonhosted.org/packages/4a/79/d0b244caed2b82619395773925908d111cbe9cecad339b7b9e38517eb022/net.maurus.authserver-0.1.77-py3-none-any.whl" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "dc15197b2393bd96a400fa710a47bead", "sha256": "0ab57d098605010319309766bb55eebef7964cf5a1b56e1a7f32ca8bfaefa7bc" }, "downloads": -1, "filename": "net.maurus.authserver-0.1.77-py3-none-any.whl", "has_sig": false, "md5_digest": "dc15197b2393bd96a400fa710a47bead", "packagetype": "bdist_wheel", "python_version": "py3", "requires_python": null, "size": 122795, "upload_time": "2018-06-17T11:12:48", "url": "https://files.pythonhosted.org/packages/4a/79/d0b244caed2b82619395773925908d111cbe9cecad339b7b9e38517eb022/net.maurus.authserver-0.1.77-py3-none-any.whl" } ] }