Skip to content

Authentication

Jump to bottom
Azret Kenzhaliev edited this page May 2, 2018 · 24 revisions

GPG Keys

Gorjun service is using GPG keys for user authorization.

You can get user public keys using the following endpoint: https://cdn.subutai.io:8338/kurjun/rest/auth/keys?user=Hub

Unfortunately, our external systems like Bazaar do not allow the user to register several GPG keys, and the following endpoint still in use: https://cdn.subutai.io:8338/kurjun/rest/auth/keys?user=Hub

Registration

Only Subutai Bazaar has the ability to register a new user on Gorjun.

Bazaar sends the signed request with username and public key to Gorjun. Gorjun verifies this request and registers the user.

For testing purposes use the script below.

Note: instead of naming your user "Hub" you can name it as you want, but you will have to change every "Hub" occurrence to your username.

#!/bin/bash

URL=http://localhost:8080
NAME=Hub

KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.51

mQINBFi0Dp0BEAC/BXtjULpHtaocIfnH1qaIAALdeyl3JYiTXv583H6v7gn5kPVL
wYgJrVBWbAdFedMw8RflDW3fvVJNDwmjv87ckQcWqxvDr6D+x/Zig9mmmn7H64jX
SJCNs9exYuVdeHuBtBnFP4VOxGc/96yUkxo5HzWg9tXgoiIgoB3Z3BUah/mB8xKp
F3cmPYzwE5DkUyGkSg+vl//Uk8x1UYeONKajlyZQ3xT+6XBwE+/iL0cVUSZCuhsB
P4VB8Oy1z/0rEY6TP0nlYpV+uC/0SDUwABiNCw8QTkxfbcsuEyFvmC3IhjHgfSVi
5LxGOV5cALjQ2KP1zFECqwGbtdXIp4qW2sbuTKPxjn8nF8miHe52N77/azPLeNmq
TUm1WtkgoUEeaCikZJLzhIOV7nBu8fo6tCentXGSsTM0EM/BHZXcrN3LHzajs8F7
7Xh4l2VsoHHskBMEe1WmTcYYcb/cWL3KuwHN+p4XrZG9rZjUr2qTIN+Vp8v7whik
bNJXqLlJPJ63iJNGing+JRb+xv08vsrdFAC20buxKXMjE43DhyVYgOJUig0Vvja+
2Ch6JkS2tsrACfcuyL8oXg9CQLTZYphlz/FY5wPeVi1xfs4U2yhcQ2vOt/vpiV5A
jmCSxBzQ3MFLikgpRw6xqyyLqlVorAuAToUKVWrbyeAaLEyFUO6jReencQARAQAB
tBRodWIgPGh1YkBzdWJ1dGFpLmlvPokCNQQQAQgAKQUCWLQOnwYLCQgHAwIJEL6h
pfg2JEJ8BBUIAgoDFgIBAhkBAhsDAh4BAABY8w//Rhi1Jx5yEsU8UrLTCkWJ5z25
usEdb9hSnLbpzE1VUlt8hAhJRxflC9GxJK4aBM7hRYpUhd3FbtvvgIvSB3MbG6Du
3Kpyus4D2kwCQ0DGx1wXTKrL0om48eE1v4w0cVH1ppEGkrvw0OhzpQkWizwzp+yQ
XX4EYzs7sIvDNycR95b+eGs9aJyJTVyK8RzllCzZIu2QSF24Rc9pWdQs8b/DOXwp
TPjaWE4fQGP9phi+NftbqUzOBagWaui/aieVn371F2izHkfisBr9wtW5cSvOYaxz
gCrc/bdPjQ8MW160RtPOg+R3Lxw6issQPT6jlPr/WmE0xpb76GTg6msqHea4kmdg
Pv1gyRAHftAxtxEOBtM5jGza6JEAhCeekCL2fK5FEb8YbNfETYLCaTcSi47lFBhi
tb96sKGltqfZcnmVxp9Epelb2ZPdv791RricdqkZr+BJXkAg+xxxkPsbgXfdofVC
Ucf+1r6/Cc7cQx/p0+a6O6ybCIsDETVOD25YmoIBdL0u8jsmaGyT1INllhP5kvMR
cSkeC/WtzR+d5D1/ten9bfp8igxpyz0PeGL7b3SIF00CcmMtf6az1WRL0PEtgYZ3
qHw8R+ZPSnBUm1lTc/sEr0ahn2jN04SH+LIk2xw8jHGo8OTrywWdfPYiz40VyCW1
w7xco3j1N/lOCjBs1Ks=
=cAJ1
-----END PGP PUBLIC KEY BLOCK-----"

curl -s -k -Fname="$NAME" -Fkey="$KEY" "$URL/kurjun/rest/auth/register"

Token

To get a token user need to perform the following steps:

  1. GET the authid from the Gorjun server;
  2. Sign it using GPG key;
  3. POST a signed message to the Gorjun server.

For testing purposes use the script below.

#!/bin/bash
URL=http://localhost:8080/kurjun/rest
USER=Hub
[email protected]

curl -k "$URL/auth/token?user=$USER" -o /tmp/filetosign
gpg --armor -u $EMAIL --clearsign /tmp/filetosign
curl -k -s -Fmessage="`cat /tmp/filetosign.asc`" -Fuser=$USER "$URL/auth/token"

Token has a limited TTL, it's limited to 1 day. To validate if the token still valid the following URL can be used:

http://localhost:8080/kurjun/rest/auth/validate?token=e4ae1c7c2c95c9c9284b72ee682b4295e90d6d63ff40215fb1ac123b72a12397

(substitute token= with your own token)

Signature

Gorjun service allows a user to sign artifact by his key to prove that this file was uploaded by a valid user.

After uploading a file, the user needs to sign ID and POST it using token to /auth/sign endpoint.

For testing purposes use the script below.

#!/bin/bash

FILE=$1
SERVER=$2
CATEGORY=$3

if [ ! -f "${FILE}" ]; then echo "Oops - ${FILE} does not exist" ; exit 1; fi

URL=http://localhost:8080/kurjun/rest
USER=Hub
[email protected]

echo "Obtaining auth id..."

curl -k "$URL/auth/token?user=$USER" -o /tmp/filetosign
rm -rf /tmp/filetosign.asc
gpg --armor -u $EMAIL --clearsign /tmp/filetosign

SIGNED_AUTH_ID=$(cat /tmp/filetosign.asc)

echo "Auth id obtained and signed\\n$SIGNED_AUTH_ID"

TOKEN=$(curl -k -s -Fmessage="$SIGNED_AUTH_ID" -Fuser=$USER "$URL/auth/token")

echo "Token obtained $TOKEN"

echo "Uploading file..."

ID=$(curl -sk -H "token: $TOKEN" -Ffile=@$FILE -Ftoken=$TOKEN "$URL/$CATEGORY/upload")

echo "File uploaded with ID $ID"

echo "Signing file..."

SIGN=$(echo $ID | gpg --clearsign --no-tty -u $EMAIL)

curl -ks -Ftoken="$TOKEN" -Fsignature="$SIGN" "$URL/auth/sign"

echo -e "\\nCompleted"

With this script you can upload files either to rest/raw or to rest/template:

  1. Uploading file someFile.smth to raw: sudo ./testUploadScript.sh someFile.smth "" raw.
  2. To upload file in rest/templates you need to have a template. You can download sample (any) template from https://bazaar.subutai.io/ - click on your profile in upper-right corner -> CDN -> download any template. In the config file that is inside the template archive .tar.gz all .owner files and paths must be Hub instead:
lxc.arch = amd64
lxc.utsname = debian-stretch
lxc.rootfs.backend=zfs
subutai.template = debian-stretch
subutai.template.owner = Hub
subutai.template.version = 0.4.1
subutai.parent = debian-stretch
subutai.parent.owner = Hub
subutai.parent.version = 0.4.1
lxc.mount.entry=/var/lib/subutai/lxc/debian-stretch:Hub:0.4.1/var var none bind,rw 0 0
lxc.mount.entry=/var/lib/subutai/lxc/debian-stretch:Hub:0.4.1/opt opt none bind,rw 0 0
lxc.mount.entry=/var/lib/subutai/lxc/debian-stretch:Hub:0.4.1/home home none bind,rw 0 0
lxc.rootfs=/var/lib/subutai/lxc/debian-stretch:Hub:0.4.1/rootfs
lxc.network.type = veth
lxc.network.script.up = /usr/sbin/subutai-create-interface
lxc.include = /usr/share/lxc/config/debian.common.conf

General

API

Clone this wiki locally