Project to learn golang.org in the context of user lifecycle management.
This repository contains the heart of the UserStack project. The core domain model is implemented at the ustackd. The daemon has multiple backend implementations in which the data can be stored.
We may stole ideas from:
- Apache Syncope
- ConnID
This section describes the configuration of the ustackd.
[Daemon]
# Interface and port where the daemon should listen
listen = 0.0.0.0:7654
; listen = 127.0.0.1:7654
# the realm send by the server after connect
realm = ustackd $VERSION$
# be default the daemon is in background, foreground at demand
# in foreground mode the syslog is disabled and logging appears on STDOUT
; foreground = yes
# The backend to use
backend = sqlite
# path where to store the pid file
pid = ./ustackd.pid
[syslog]
# (USER, MAIL, DAEMON, AUTH, SYSLOG, LPR, NEWS, UUCP, CRON, AUTHPRIV, FTP,
# LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7)
# which syslog facility should be used
facility = FTP
# set the syslog log level
# (EMERG ALERT CRIT ERR WARNING NOTICE INFO DEBUG)
level = DEBUG
[client]
# client that is allowed to issue all commands (e.g. web gui)
; auth = 42421da75756d69832d:allow:.*
# client that is restricted to certain commands (e.g. auth server)
; auth = 6d95e4ac638daf4b786:allow:^(login|set|get|change (password|email))
# client that can manage everything, but is secure from data stealing
; auth = 04d6eb93ab5d30f7bb0:deny:^(users|groups|group users)
[security]
# change root to this location after start
; chroot = /var/run/ustackd
# change user to this location after start
# the same is used for the gid, so you need to have the user only in one group
# with the same name
; uid = ustack
[ssl]
# status
enabled = yes
# Interface and Port where the daemon should listen with ssl/tls enabled
; listen = 0.0.0.0:8765
# location of the private key in pem format
; key = /etc/ustack/key.pem
# location of the certificate in pem format
; cert = /etc/ustack/cert.pem
[sqlite]
url = ustack.db
ustackd [-c config file] [-f|--foreground]
If now config file is passed, the file will be searched in the following locations in order:
- ./ustack.conf
- /etc/ustack.conf
- /usr/local/etc/ustack.conf
Simply download the dependencies and start the server:
make prepare
go run ustackd.go -f
User
* uid (int)
* firstname (string)
* lastname (string)
* name (string)
* password (string)
* active (bool)
has many Groups
Group
* gid (int)
* name (string)
has many Users
The backends in ustackd are based on a plugin mechanism. This way, ustackd should be able to communicate with all possible backends.
Sqlite 3 implementation of the backend.
[Daemon]
backend = sqlite
[sqlite]
url = /var/run/ustack.db
Or to use a memory database for testing
[sqlite]
url = :memory:
See here more info on how paths can look like.
PostgreSQL implementation of the backend. See http://godoc.org/github.com/lib/pq for example connection strings.
[Daemon]
backend = postgres
[postgres]
url = "user=postgres dbname=ustackd sslmode=disable"
MySQL implementation of the backend. See https://github.com/go-sql-driver/mysql for example connection strings.
[Daemon]
backend = mysql
[mysql]
url = "travis@unix(/tmp/mysql.sock)/ustackd?charset=utf8"
Proxy backend implementation connects to a different ustackd and proxies requests.
[Daemon]
backend = sqlite
[Proxy]
# connection to the remote ustackd
host = localhost:7543
# enable ssl transmission (without cert man in the middle is possible)
ssl = yes
# cert that should be used by the server if not passed, all certs are allowed
cert = config/cert.pem
# authenticate as a certain client
passwd = SOMEVERYGOODSECRET
Nil backend implementation is a dummy implementation, that always returns ok.
[Daemon]
backend = nil
This section describes the protocol that is used to interface with the daemon.
Following notation is used
-> Client sends something to the server
<- Server send something back to the client
CRLF "\r\n" is implicit for every line sent. If the request was ok the response is prefixed with a "+" otherwise with a minus, followed by the response code.
If a secret is set, the client has to issue the client auth command in order to get access to the system. Depending on the secret the possible commands may change. This is useful, to for example not allow apps to list all users. Generally consider use of SSL/TLS!
-> client auth <secret>
<- + OK
Return Codes:
OK: Ok
EPERM: no valid secret
Return stats of the server.
-> stats
<- logins: 13435
<- err logins: 1123
<- users: 651
<- inactive users: 15
<- groups: 4
<- + OK
Upgrades the current connection into a ssl connection.
-> starttls
<SSL connection from know on>
-> user <name> <password>
<- + OK 1
Return Codes:
OK: Ok with the uid
EEXIST: User already exists
EINVAL: Parameter missing or invalid
-> disable <name|uid>
<- + OK
Return Codes:
OK: Ok
ENOENT: name or uid unknown
-> enable <name|uid>
<- + OK
Return Codes:
OK: Ok
ENOENT: name or uid unknown
-> set <name|uid> <key> <value>
<- + OK
Return Codes:
OK: Ok
ENOENT: name or uid unknown
EINVAL: Parameter missing or invalid
Recommended Keys:
firstname
lastname
-> get <name,uid> <key>
<- <value>
<- + OK
Return Codes:
OK: Ok
ENOENT: name, uid or key unknown
EINVAL: Parameter missing or invalid
-> login <name> <password>
<- + OK 1
Return Codes:
OK: Ok with the uid
EPERM: name and password are not a valid combination
-> change password <name|uid> <password> <newpassword>
<- + OK
Return Codes:
OK: Ok
ENOENT: name and password are not a valid combination
EINVAL: Parameter missing or invalid
-> change name <name|uid> <password> <newname>
<- + OK
Return Codes:
OK: Ok
ENOENT: name and password are not a valid combination
EINVAL: Parameter missing or invalid
-> user groups <name|uid>
<- administrators:1
<- sales:20
<- engineering:10
<- + OK
Format:
List of groups with group id: <group>:<gid>
Return Codes:
OK: Ok with the list of objects
ENOENT: name or uid unknown
EINVAL: Parameter missing or invalid
delete user <name|uid>
Return Codes:
OK: Ok user deleted
ENOENT: name or uid unknown
EINVAL: Parameter missing or invalid
-> users
<- foo@bar.com:1:Y
<- bar@example.com:2:Y
<- mr@bean.com:3:N
<- + OK
Format:
List of names with user id: <name>:<uid>:<active Y=yes, N=no>
Return Codes:
OK: Ok
-> group <name>
<- + OK 1
Return Codes:
OK: Ok with the gid
EEXIST: Group already exists
EINVAL: Parameter missing or invalid
-> add <name|uid> <group|gid>
<- + OK
Return Codes:
OK: Ok
ENOENT: Group or user doesn't exist
-> remove <name|uid> <group|gid>
<- + OK
Return Codes:
OK: Ok
ENOENT: Group or user doesn't exist
-> delete group <group|gid>
<- + OK
Return Codes:
OK: Ok
ENOENT: Group doesn't exist
-> groups
<- administrators:1
<- sales:20
<- engineering:10
<- + OK
Format:
List of groups with group id: <group>:<gid>
Return Codes:
OK: Ok
-> group users <group|gid>
<- foo@bar.com:1:Y
<- bar@example.com:2:N
<- mr@bean.com:3:Y
<- + OK
Format:
List of names with user id: <name>:<uid>:<active Y=yes, N=no>
Return Codes:
OK: Ok
ENOENT: Group doesn't exist
brew install postgres
cd tmp/
initdb pgdata
postgres -D pgdata
In a separate terminal:
createdb ustackd
psql -U $USER -c "CREATE USER postgres;" ustackd
psql -U $USER -c "GRANT ALL PRIVILEGES ON DATABASE ustackd TO postgres;" ustackd
TEST_CONFIG=config/test_psql.conf go test -v ./...
brew install mysql
mkdir -p tmp/mysql
mysql_install_db --datadir=`pwd`/tmp/mysql --basedir=`brew --prefix mysql`
mysqld --datadir=`pwd`/tmp/mysql
In a separate terminal:
mysql -u root -e "create database ustackd"
mysql -u root -e "GRANT ALL PRIVILEGES ON *.* TO 'travis'@'localhost'"
TEST_CONFIG=config/test_mysql.conf go test -v ./...
- track ip address of browser at login like
login <name|uid> <pw> <ip> - show ip addresses and dates of last failed logins
- track succesfull logins
- plugin system
- 2-factor-auth (sms?, otp-token-generator?, frontend: show qr-codes)
- e-mail notification
- getUserDataKeys returns []string with all keys the userData contains
- seperate permission groups from organizational groups (group name prefixes like
perm.vs. directory structure) - support login with password and token with seperate permissions