-
Notifications
You must be signed in to change notification settings - Fork 12
Security
This document describes base security concept used in registries.
In registries project are all entities organized in registries (tables). Security model can use any (configurable parameter) registry as base registry for definition of system users. Any user intended to act as operator (can do any non-public operations) has to have permission System User.
All security related information assigned to registry entity are defined in systemCredentials property. This property is strictly reserved for security management and should be never used in publicly accessible schema.
Permissions are assignable directly to user. Base permission distinguishing common public user and system user is permission System User.
Permissions are defined as part of systemCredentials property in its own property permissions. Each permission is defined as own property:
"systemCredential": {
"type": "object",
"properties": {
"permissions": {
"type": "object",
"properties": {
"System User": {
"title": "Systémový používateľ",
"type": "boolean"
},
"Registry - read": {
"title": "Zobrazenie dát registrov",
"type": boolean"
},
"Registry - write": {
"title": "Modifikácia dát registrov",
"type": boolean"
}
...
}
}
}
}
System users can be members of security group. Membership in security group is defined in systemCredentials property in its own property groups.
"systemCredential": {
"type": "object",
"properties": {
"groups": {
"type": "array",
"items": {
"type": "object",
"properties" {
"registry": "string",
"id": "string"
}
}
}
}
}
where group name is particular group name.
Groups are organized in tree structure. Each group can have none or exactly one parent group. Groups are defined in special registry.
Prihlásenie do aplikácie prebieha zadaním používateľského mena a hesla. Používateľské meno a heslo sú uložené podľa schémy:
"systemCredential": {
"type": "object",
"properties": {
"login": {
"type": "object",
"properties": {
"loginName": {
"title": "Prihlasovacie meno",
"type": "string"
},
"passwordHash": {
"title": "Hash hesla",
"description": ""
"type": "string"
},
"salt": {
"title": "Salt pre hash hesla",
"description": ""
"type": "string"
}
}
}
}
}
Hash hesla sa počíta:
crypto.randomBytes(64, function(err, buf) {
if err ...
crypto.pbkdf2(password, buf.toString('base64'), 1000, 256, function(err, passwordHash) {
if err ...
...store...
})
})
Hash pre bezpečnostný token sa definuje ako uuid+IP+loginName
- používateľ zadá do okna meno a heslo
- server overí hash
- vygeneruje security token a tento token sa pošle späť používateľovi ako koláčik
securityTokena koláčikloginName - do DB sa uloží loginName, IP, aktuálny čas a securityToken, valid
- používateľ urobí request na server, v ktorom posiela aj koláčiky securityToken a loginName
- server overí existenciu záznamu v logoch prihlásenia:
WHERE loginName=:loginName and securityToken=:securityToken and IP=:IP and čas < aktuálny čas - 15 minút and valid=true - Ak takýto záznam neexistuje, access denied
- Ak existuje, v DB sa updatuje záznam loginName, IP, aktuálny čas a securityToken a valid
- používateľ klikne na akciu odhlásiť
- server overí prihlásenia a následne pre záznam loginName, IP, aktuálny čas a securityToken nastaví valid na false
- zmažú sa koláčiky