1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179 | -----------------------------------------------------------------------
-- security-oauth-file_registry -- File Based Application and Realm
-- Copyright (C) 2017, 2018 Stephane Carrez
-- Written by Stephane Carrez (Stephane.Carrez@gmail.com)
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
-----------------------------------------------------------------------
with Ada.Strings.Unbounded;
with Ada.Strings.Hash;
with Ada.Containers.Indefinite_Hashed_Maps;
with Util.Strings;
with Util.Properties;
with Security.OAuth.Servers;
with Security.Permissions;
private with Util.Strings.Maps;
private with Security.Random;
package Security.OAuth.File_Registry is
type File_Principal is new Servers.Principal with private;
type File_Principal_Access is access all File_Principal'Class;
-- Get the principal name.
overriding
function Get_Name (From : in File_Principal) return String;
-- Check if the permission was granted.
overriding
function Has_Permission (Auth : in File_Principal;
Permission : in Security.Permissions.Permission_Index)
return Boolean;
type File_Application_Manager is new Servers.Application_Manager with private;
-- Find the application that correspond to the given client id.
-- The <tt>Invalid_Application</tt> exception should be raised if there is no such application.
overriding
function Find_Application (Realm : in File_Application_Manager;
Client_Id : in String) return Servers.Application'Class;
-- Add the application to the application repository.
procedure Add_Application (Realm : in out File_Application_Manager;
App : in Servers.Application);
-- Load from the properties the definition of applications. The list of applications
-- is controlled by the property <prefix>.list which contains a comma separated list of
-- application names or ids. The application definition are represented by properties
-- of the form:
-- <prefix>.<app>.client_id
-- <prefix>.<app>.client_secret
-- <prefix>.<app>.callback_url
procedure Load (Realm : in out File_Application_Manager;
Props : in Util.Properties.Manager'Class;
Prefix : in String);
procedure Load (Realm : in out File_Application_Manager;
Path : in String;
Prefix : in String);
type File_Realm_Manager is limited new Servers.Realm_Manager with private;
-- Authenticate the token and find the associated authentication principal.
-- The access token has been verified and the token represents the identifier
-- of the Tuple (client_id, user, session) that describes the authentication.
-- The <tt>Authenticate</tt> procedure should look in its database (internal
-- or external) to find the authentication principal that was granted for
-- the token Tuple. When the token was not found (because it was revoked),
-- the procedure should return a null principal. If the authentication
-- principal can be cached, the <tt>Cacheable</tt> value should be set.
-- In that case, the access token and authentication principal are inserted
-- in a cache.
overriding
procedure Authenticate (Realm : in out File_Realm_Manager;
Token : in String;
Auth : out Servers.Principal_Access;
Cacheable : out Boolean);
-- Create an auth token string that identifies the given principal. The returned
-- token will be used by <tt>Authenticate</tt> to retrieve back the principal. The
-- returned token does not need to be signed. It will be inserted in the public part
-- of the returned access token.
overriding
function Authorize (Realm : in File_Realm_Manager;
App : in Servers.Application'Class;
Scope : in String;
Auth : in Servers.Principal_Access) return String;
overriding
procedure Verify (Realm : in out File_Realm_Manager;
Username : in String;
Password : in String;
Auth : out Servers.Principal_Access);
overriding
procedure Verify (Realm : in out File_Realm_Manager;
Token : in String;
Auth : out Servers.Principal_Access);
overriding
procedure Revoke (Realm : in out File_Realm_Manager;
Auth : in Servers.Principal_Access);
-- Crypt the password using the given salt and return the string composed with
-- the salt in clear text and the crypted password.
function Crypt_Password (Realm : in File_Realm_Manager;
Salt : in String;
Password : in String) return String;
-- Load from the properties the definition of users. The list of users
-- is controlled by the property <prefix>.list which contains a comma separated list of
-- users names or ids. The user definition are represented by properties
-- of the form:
-- <prefix>.<user>.username
-- <prefix>.<user>.password
-- <prefix>.<user>.salt
-- When a 'salt' property is defined, it is assumed that the password is encrypted using
-- the salt and SHA1 and base64url. Otherwise, the password is in clear text.
procedure Load (Realm : in out File_Realm_Manager;
Props : in Util.Properties.Manager'Class;
Prefix : in String);
procedure Load (Realm : in out File_Realm_Manager;
Path : in String;
Prefix : in String);
-- Add a username with the associated password.
procedure Add_User (Realm : in out File_Realm_Manager;
Username : in String;
Password : in String);
private
use Ada.Strings.Unbounded;
package Application_Maps is
new Ada.Containers.Indefinite_Hashed_Maps (Key_Type => String,
Element_Type => Servers.Application,
Hash => Ada.Strings.Hash,
Equivalent_Keys => "=",
"=" => Servers."=");
package Token_Maps is
new Ada.Containers.Indefinite_Hashed_Maps (Key_Type => String,
Element_Type => File_Principal_Access,
Hash => Ada.Strings.Hash,
Equivalent_Keys => "=",
"=" => "=");
package User_Maps renames Util.Strings.Maps;
type File_Principal is new Servers.Principal with record
Token : Ada.Strings.Unbounded.Unbounded_String;
Name : Ada.Strings.Unbounded.Unbounded_String;
Perms : Security.Permissions.Permission_Index_Set := Security.Permissions.EMPTY_SET;
end record;
type File_Application_Manager is new Servers.Application_Manager with record
Applications : Application_Maps.Map;
end record;
type File_Realm_Manager is limited new Servers.Realm_Manager with record
Users : User_Maps.Map;
Tokens : Token_Maps.Map;
Random : Security.Random.Generator;
Token_Bits : Positive := 256;
end record;
end Security.OAuth.File_Registry;
|