EN ET

Autentimine

Texta Toolkiti kasutamiseks, peab ennast esiteks autentima:

  1. Läbi UAA (vaikimisi maha keeratud) (see Joonis 1 valik 1)

  2. või luues Texta Toolkitti konto (vaata Joonis 1 valik 2)

_images/login.png

Joonis 1 Logimisvaade alustades

Registreerimine

GUI

API

Otspunkt: /rest-auth/registration/

Näide:

curl -X POST "http://localhost:8000/api/v1/rest-auth/registration/" \
-H  "accept: application/json" \
-H  "Content-Type: application/json" \
-d '{
        "username": "myname",
        "email": "myname@example.com",
        "password1": "a123s456789",
        "password2": "a123s456789"
    }'

Vastus:

{"key":"7cd98b388e85b82bd084c80418d56a185b3a35ba"}

Vastuseks on võti, mida hiljem saab kasutada päringute autentimiseks.

Sisse logimine

Märkus

Esialgne superkasutaja konto:
kasutajanimi: admin
parool: 1234

API

Otspunkt: /rest-auth/login/

Näide:

curl -X POST "http://localhost:8000/api/v1/rest-auth/login/" \
-H "Content-Type: application/json" \
-d '{
        "username": "admin",
        "password": "1234"
    }'

Vastus:

{"key":"8229898dccf960714a9fa22662b214005aa2b049"}

Vastuseks on võti, mida hiljem saab kasutada päringute autentimiseks.

Kolmanda osapoole autentimine

Toolkiti saab autentida ka kasutades UAA-d, mida pakub CloudFoundry. See nõuab veidi konfigureerimist nii UAA serveris kui ka Toolkitis.

UAA serveri lokaalne konfigureerimine

UAA serveris on vaja konfigureerida kliendi rakendust (Toolkitti), määrates redirect_uri väärtuse. „Login“ kliendi näide on juba UAA poolt vaikimisi kaasa antud. Selle näite jaoks on seda sama kasutatud.

Näide:

  • First, deploy the UAA server locally through gradlew or Tomcat and install the CF UAA Command Line Client (UAAC) as detailed here.

  • Jooksuta $ uaac target http://localhost:8080/uaa

  • Autendi vaikimisi „admin“ klient, jooksutades $ uaac token client get admin -s adminsecret

  • Update the example „login“ client’s redirect_uri by running $ uaac client update login --scope openid,texta.* --redirect_uri http://localhost:8000/api/v1/uaa/callback. Setting openid scopes ensures

we have access to the /userinfo endpoint of UAA and the scope texta.* ensure that only scopes matching the pattern are returned. - Create a group called „texta.admins“ with $ uaac group add texta.admins, members of this group will be signed in with the superuser status, which gives access to all resources and user information. You can change the name of the scope which gives this functionality through environment variables as described below. - Create a group called „texta.project_admin“ with $ uaac group add texta.project_admin, members of this group will have project administrator rights to every project they have any kind of access to. This includes adding/removing users, deleting the Project and removing indices directly. Adding existing indices is a superuser privilege. You can change the name of the scope which gives this functionality through environment variables as described below. - Create a group called texta.members with $ uaac group add texta.member. This group will give the users access to TEXTA Toolkit and can be used to tie down Projects along with Users that exists in UAA’s groups to denote access. This scopes name can be anything as long as it matches the pattern „texta.*“.

  • Create some users and add them in their respective groups::

    # This user will be a superuser. $ uaac user add toomas.arusaru –given_name Toomas –family_name Arusaru –emails toomas.arusaru@gmail.com –password 12349876 $ uaac member add texta.member toomas.arusaru $ uaac member add texta.admin toomas.arusaru

    # This user will be a Project Administrator. $ uaac user add mati.toom –given_name Mati –family_name Toom –emails mati.toom@gmail.com –password 12349876 $ uaac member add texta.member toomas.arusaru $ uaac member add texta.project_admin toomas.arusaru

    # This user will be a normal user with no special privileges. $ uaac user add mari.salumäe –given_name Mari –family_name Salumäe –emails mari.salumae@gmail.com –password 12349876 $ uaac member add texta.member toomas.arusaru

  • Nüüd autendi ennast kui näidis „login“ klient jooksutades $ uaac token client get login -s loginsecret

UAA server on nüüd konfigureeritud. Testimiseks võib saata päring redirect_uri-le logides UAA serverisse /uaa/oauth/authorize OAuth otspunkti kaudu.

oauth/authorize URL-ile peab saatma päringu õigete parameetritega:

http://localhost:8080/uaa/oauth/authorize?response_type=code&client_id=login&scope=openid texta.*&redirect_uri=http://localhost:8000/api/v1/uaa/callback

Lahtiseletatult:

  • response_type=code annab serverile teada, et vastusesse tuleb lisada kood.

  • client_id=login on kliendi rakenduse nimi/id UAA-s.

  • scope=openid texta.* Is the OAuth scope which toolkit uses in order to authenticate/create the user on Toolkit’s side with the email and password.

  • redirect_uri=http://localhost:8000/api/v1/uaa/callback is the same redirect_uri set on the client application before, which will be used to redirect the user to the proper application after a successful login.

Rohkem infot saab siit: - https://docs.cloudfoundry.org/api/uaa/version/74.24.0/index.html - https://www.oauth.com/

MÄRKUS: e-mailiga sisse logides võib saada autentimiserroreid. Kuigi sisse logimise vorm küsib e-maili ja parooli, saadab see tegelikult kasutajanime ja parooli. Seega tasub errorit saades proovida sisse logida hoopis kasutajanime (trüki see e-maili välja) ja parooliga.

Toolkiti serveri konfigureerimine

Toolkiti serveri kliendirakenduse konfigureerimiseks tuleb määrata UAA-ga seotud keskkonnamuutjad (environment variables):

  • TEXTA_USE_UAA expects input „False“ to disable UAA, which will otherwise be enabled (Default: false).

  • TEXTA_UAA_URL needs to be the URL of the UAA server (Default: http://localhost:8080/uaa).

  • UAA_OAUTH_TOKEN_URI URL from which to get access_tokens (Default: {TEXTA_UAA_URL}/oauth/token“).

  • UAA_USERINFO_URI URL for accessing the user information (Default: {TEXTA_UAA_URL}/userinfo).

  • UAA_LOGOUT_URI URL from which to log out with (Default: „{TEXTA_UAA_URL}/logout.do“).

  • UAA_AUTHORIZE_URI = URL to authorize authentication (Default: {TEXTA_UAA_URL}/oauth/authorize).

  • TEXTA_UAA_REDIRECT_URI needs to be the redirect_uri as set on the UAA server client (Default: http://localhost:8000/api/v1/uaa/callback)

  • TEXTA_UAA_FRONT_REDIRECT_URL needs to be the URL of the Angular frontend, where the Toolkit server will redirect the user after a successful redirect_uri callback (Default: http://localhost:4200/oauth, should be http://localhost/oauth for Docker setups).

  • TEXTA_UAA_CLIENT_ID needs to be the client ID (Default: login)

  • TEXTA_UAA_CLIENT_SECRET needs to be the client application’s secret (Default: loginsecret)

  • TEXTA_UAA_SCOPES contains the scopes which will be used when communicating with UAA, must be the same as the scopes used during client creation/update inside UAA (Default: openid texta.*).

  • TEXTA_UAA_SUPERUSER_SCOPE contains the name of the scope which TEXTA Toolkit will use to check if a user should be given/taken the superuser status (Default: texta.admin).

  • TEXTA_UAA_PROJECT_ADMIN_SCOPE contains the name of the scope which TEXTA Toolkit will use to check if a user should have Project Administrator privileges

for any project they have access to (Default: texta.project_admin). - TEXTA_UAA_SCOPE_PREFIX contains the prefix for limiting access of users into TEXTA Toolkit. Any users who have a scope that matches the pattern „{TEXTA_UAA_SCOPE_PREFIX}.*“ will be granted access, anyone who doesn’t has it denied (Default: texta).

UAA eessüsteemi (front-end) kasutamine

UAA koos Angular eesüsteemiga peab olema konfigureeritud environment.ts failis.

  • useCloudFoundryUAA on tõeväärtustüübis. Kui see on False, on UAA sisse logimisvõimalus peidetud.

  • uaaConf on objekt väljadega UAA parameetrite jaoks, nt:
{

„apiHost“:“http://localhost:8000“, „apiBasePath“:“/api/v1“, „apiBasePath2“:“/api/v2“, „logging“:true, „fileFieldReplace“:“texta_filepath“, „useCloudFoundryUAA“:true, „uaaConf“:{

„uaaURL“:“http://localhost:8080“, „redirect_uri“:“http://localhost:8000/api/v1/uaa/callback“, „client_id“:“login“, „scope“:“openid texta.*“, „admin_scope“: „texta.project_admin“, # Must match the value of the environment variable „TEXTA_UAA_SUPERUSER_SCOPE“ „response_type“:“code“

}

}

UAA-d kasutades sisse logimiseks, klõpsa „log in with CloudFoundry“ nupule sisse logimise aknas:

_images/uaa_front_login.png

Joonis 2 Logi Sisse CloudFoundry valikuga Angular eesüsteemis

See suunab kasutaja UAA sisse logimise valikusse. Pärast edukat sisse logimist suunab see kasutaja tagasi Toolkiti eessüsteemi.

Testid

Toolkiti tagasüsteemis (backend) testide jooksutamiseks jooksuta: python manage.py test toolkit.uaa_auth

Eessüsteemis on testid tehtud Cypressiga uaa.e2e-spec.js failis.

MÄRKUS: UAA server peab testide töötamiseks olema käivitatud ja konfigureeritud.

Märkuseid autentimise kotha

Pärast edukat UAA serverisse sisse logimist saadab UAA server tagasihelistuse (callbacki) Toolkiti redirect_uri tagasihelistusse (callbacki), läbi mille tehakse teine päring UAA serverisse, et saada access_token ja refresh_token.

Toolkiti access_token-iga autentimiseks on vaja see lisada päringutes Authorization (HTTP_AUTHORIZATION) päisesse kui Bearer token. Näide: Authorization: Bearer 71428a9f2fb44c52be3c17f2fae405f5.

Iga päringuga Toolkit REST tagasüsteemi saadab Toolkit RESTi tagasüsteem päringu UAA serverisse, et kontrollida, kas token ikka veel kehtib. Kui see nii ei ole, tagastab see 401 vastuse.

Sellisel juhul saadab eessüsteem automaatselt refresh_token tokeni Toolkit RESTi tagasüsteemi uaa/refresh-token otspunkti koos refresh_token-iga (päringus väljal refresh_token). Toolkit REST tagasüsteemis kasutatakse ‚refresh‘ tokenit UAA serveri /oauth/token otspunkti saadetud päringus uue access_token-i saamiseks. Kui refresh_token pole valiidne või on aegunud, tagastab Toolkit REST tagasüsteemi uaa/refresh-token otspunkt 403 vastuse.

Edasiseks lugemiseks: https://docs.cloudfoundry.org/api/uaa/version/74.24.0/index.html#refresh-token