-
Notifications
You must be signed in to change notification settings - Fork 13
Authentication
Gorjun service is using GPG-keys for user authorization.
You can get user public keys using the following endpoint: https://cdn.subut.ai:8338/kurjun/rest/auth/keys?user=Hub
Unfortunately, our external systems like Hub does not allow user to register several keys, and the following endpoint still in use: https://cdn.subut.ai:8338/kurjun/rest/auth/key?user=Hub
Only Subutai Hub has the ability to register a new user on the production Gorjun.
It sends to the Gorjun signed request with username and public key. Gorjun verifies this request and register user.
But for test purposes, local user registration allowed too:
#!/bin/bash
URL=http://127.0.0.1:8080
NAME=Hub
KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: BCPG v1.51
mQINBFi0Dp0BEAC/BXtjULpHtaocIfnH1qaIAALdeyl3JYiTXv583H6v7gn5kPVL
wYgJrVBWbAdFedMw8RflDW3fvVJNDwmjv87ckQcWqxvDr6D+x/Zig9mmmn7H64jX
SJCNs9exYuVdeHuBtBnFP4VOxGc/96yUkxo5HzWg9tXgoiIgoB3Z3BUah/mB8xKp
F3cmPYzwE5DkUyGkSg+vl//Uk8x1UYeONKajlyZQ3xT+6XBwE+/iL0cVUSZCuhsB
P4VB8Oy1z/0rEY6TP0nlYpV+uC/0SDUwABiNCw8QTkxfbcsuEyFvmC3IhjHgfSVi
5LxGOV5cALjQ2KP1zFECqwGbtdXIp4qW2sbuTKPxjn8nF8miHe52N77/azPLeNmq
TUm1WtkgoUEeaCikZJLzhIOV7nBu8fo6tCentXGSsTM0EM/BHZXcrN3LHzajs8F7
7Xh4l2VsoHHskBMEe1WmTcYYcb/cWL3KuwHN+p4XrZG9rZjUr2qTIN+Vp8v7whik
bNJXqLlJPJ63iJNGing+JRb+xv08vsrdFAC20buxKXMjE43DhyVYgOJUig0Vvja+
2Ch6JkS2tsrACfcuyL8oXg9CQLTZYphlz/FY5wPeVi1xfs4U2yhcQ2vOt/vpiV5A
jmCSxBzQ3MFLikgpRw6xqyyLqlVorAuAToUKVWrbyeAaLEyFUO6jReencQARAQAB
tBRodWIgPGh1YkBzdWJ1dGFpLmlvPokCNQQQAQgAKQUCWLQOnwYLCQgHAwIJEL6h
pfg2JEJ8BBUIAgoDFgIBAhkBAhsDAh4BAABY8w//Rhi1Jx5yEsU8UrLTCkWJ5z25
usEdb9hSnLbpzE1VUlt8hAhJRxflC9GxJK4aBM7hRYpUhd3FbtvvgIvSB3MbG6Du
3Kpyus4D2kwCQ0DGx1wXTKrL0om48eE1v4w0cVH1ppEGkrvw0OhzpQkWizwzp+yQ
XX4EYzs7sIvDNycR95b+eGs9aJyJTVyK8RzllCzZIu2QSF24Rc9pWdQs8b/DOXwp
TPjaWE4fQGP9phi+NftbqUzOBagWaui/aieVn371F2izHkfisBr9wtW5cSvOYaxz
gCrc/bdPjQ8MW160RtPOg+R3Lxw6issQPT6jlPr/WmE0xpb76GTg6msqHea4kmdg
Pv1gyRAHftAxtxEOBtM5jGza6JEAhCeekCL2fK5FEb8YbNfETYLCaTcSi47lFBhi
tb96sKGltqfZcnmVxp9Epelb2ZPdv791RricdqkZr+BJXkAg+xxxkPsbgXfdofVC
Ucf+1r6/Cc7cQx/p0+a6O6ybCIsDETVOD25YmoIBdL0u8jsmaGyT1INllhP5kvMR
cSkeC/WtzR+d5D1/ten9bfp8igxpyz0PeGL7b3SIF00CcmMtf6az1WRL0PEtgYZ3
qHw8R+ZPSnBUm1lTc/sEr0ahn2jN04SH+LIk2xw8jHGo8OTrywWdfPYiz40VyCW1
w7xco3j1N/lOCjBs1Ks=
=cAJ1
-----END PGP PUBLIC KEY BLOCK-----"
curl -s -k -Fname="$NAME" -Fkey="$KEY" "$URL/kurjun/rest/auth/register"To get a token user need to perform the following steps:
- GET the authid from the Gorjun server;
- Sign it using GPG-key;
- POST a signed message to the Gorjun server.
#!/bin/bash
URL=https://cdn.subut.ai:8338/kurjun/rest
USER=username
EMAIL=user@subut.ai
curl -k "$URL/auth/token?user=$USER" -o /tmp/filetosign
gpg --armor -u $EMAIL --clearsign /tmp/filetosign
curl -k -s -Fmessage="`cat /tmp/filetosign.asc`" -Fuser=$USER "$URL/auth/token"Token has a limited TTL, it's limited to 1 hour. To validate if the token still valid the following URL can be used:
Gorjun service allows a user to sign artifact by his key to prove that this file was uploaded by a valid user.
After file upload user need to sign ID and POST it using token to /auth/sign endpoint
#!/bin/bash
URL=https://devcdn.subut.ai:8338/kurjun/rest
USER=subutai
EMAIL=eu0@cdn.subut.ai
curl -k "$URL/auth/token?user=$USER" -o /tmp/filetosign
gpg --armor -u $EMAIL --clearsign /tmp/filetosign
TOKEN=$(curl -k -s -Fmessage="`cat /tmp/filetosign.asc`" -Fuser=$USER "$URL/auth/token")
SIGNATURE=$(curl -k -s -Ffile=@/tmp/file.tgz -Ftoken=$TOKEN "$URL/raw/upload" | gpg --clearsign --no-tty)
curl -k -s -Ftoken="$TOKEN" -Fsignature="$SIGNATURE" "$URL/auth/sign"
New way upload
curl -k -s -Ffile=@/tmp/file.tgz -H "token:$TOKEN" "$URL/raw/upload"