blob: ac63b4149755c0c781363c3618b30475d20ebdd2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
.. _authentication:
Authentication
==============
Authentication with the Soledad server is made using `Twisted's Pluggable
Authentication system
<https://twisted.readthedocs.io/en/latest/core/howto/cred.html>`_. The
validation of credentials is performed by verifying a token provided by the
client.
There are currently two distinct authenticated entry points:
* A public TLS encrypted **Users API**, providing the *Synchronization* and
:ref:`blobs` services, verified against the Leap Platform
``tokens`` database.
* A local plaintext **Services API**, currently providing only the delivery
part of the *Incoming* service, authenticated against tokens defined in
a file specified on the server configuration file (see the
:ref:`services-tokens-file` section).
Authorization header
--------------------
The client has to provide a token encoded in an HTTP auth header, as in::
Authorization: Token <base64-encoded uuid:token>
If no token is provided, the request is considered an "anonymous" request.
Anonymous requests can only access `GET /`, which returns information about the
server (as the version of the server and runtime configuration options).
.. _services-tokens-file:
Services API tokens file
------------------------
Credentials for services accessible through the local Services API entrypoint
can be added into a file, one in each line with the format
``servicename:token``, like this::
incoming:Zm9yYSB0ZW1lciEK
By default, Soledad Server will look for the tokens file in
``/etc/soledad/services.tokens`` but that is configurable (see
:ref:`server-config-file` for more information).
Currently, the only special credential provided is for the *Incoming* service.
Implementation
--------------
Soledad Server package includes a systemd service file that spawns a ``twistd``
daemon that loads a `.tac file
<https://twistedmatrix.com/documents/12.2.0/core/howto/application.html#auto5>`_.
When the server is started, two services are spawned:
* A local entrypoint for services (serving on localhost only).
* A public entrypoint for users (serving on public IP).
* Localhost and public IP ports are configurable. Default is 2424 for public IP
and 2525 for localhost.
.. code-block:: none
.------------------------------------------------------.
| soledad-server |
| (twisted.application.service.Application) |
'------------------------------------------------------'
| |
.--------------. .----------------.
| 0.0.0.0:2424 | | 127.0.0.1:2525 |
| (TLS) | | (TCP) |
'--------------' '----------------'
| |
.----------------. .----------------------.
| Auth for users | | Auth for services |
| (UsersRealm) | | (LocalServicesRealm) |
'----------------' '----------------------'
| |
.------------------. .-------------------------.
| Users API | | Services API |
| (PublicResource) | | (LocalResource) |
'------------------' '-------------------------'
| .-------. .-----------------. |
'->| /sync | | /incoming |<-'
| '-------' | (delivery only) |
| .--------. '-----------------'
'->| /blobs |
'--------
|