Authentication User Manual
Introduction
The authentication module is a module made to manage users and permissions.
The goal of this module is to give a simple solution for user authentication in general and allow specific implementation as required.
It is meant to be as simple as it can be, there is no hierarchy between users.
User management
Every user has a password and a combination of rights associated to it. Since the passwords are not stored in the AUTH_USER
structure directly, it allows to hide the passwords from the rest of the software.
Also, since the credentials (user/password combination) cannot be accessed from outside the authentication layer, it prevent access to any unauthorized credentials.
Given the goal to keep this piece of software minimalist, some features were removed or reduced to a bare minimum, otherwise the software obtained would have been too complex.
The chosen architecture scheme limits the access to the ROOT user and prevents common errors such not validating user inputs. Instead, a user must be given explicit right to be able to execute an operation. If somebody tries to add a right on a File System module as an HTTP user, unless it has been specifically implemented to do so using an HTTP manager, the scheme will prevent the access to other modules rights.
Functionalities
The main actions that can be done over a user are the following:
Functionality | Description | Function provided |
---|---|---|
Add/Create a new user | Creates a user Returns in user a copy of the structure created. | Auth_CreateUser() |
Get user information | Updates your user structure with the module's information. Eventual consistency strategy based on demand. | Auth_GetUser() |
Validate credentials | Look-up for a username/password match in the list of users and return it. | Auth_ValidateCredentials() |
Grant/Revoke right for a given user | Grants or revoke a right or a group of rights to a user. |
Known Limitations
The maximum number of distinct, exclusive rights that can be defined is set to 28.
If two distinct modules use the same right number (AUTH_RIGHT_xx
) to create their own rights, this could cause problem. A user may not have the correct right to execute an operation but have the 'equivalent' right from the other module and at that moment the authentication module will not be able to tell the difference between both rights and will allow the user even if it should not have. To prevent this from happening, make sure that no AUTH_RIGHT_xx
is re-used throughout the application.
Rights Definition
An application may define its own rights in the
#include <auth.h> (1) #define APP_FILE_READ_RIGHT AUTH_RIGHT_0 (2) #define APP_FILE_WRITE_RIGHT (AUTH_RIGHT_1 | APP_FILE_READ_RIGHT) (3) #define APP_FILE_DELETE_RIGHT (AUTH_RIGHT_2 | APP_FILE_WRITE_RIGHT) (4)
(1) Include the auth.h
file.
(2) The READ
right can only read and is defined as right 0.
(3) The WRITE
right can write and read, it is defined as right 0 and right 1.
(3) The DELETE
right can delete, write and read, it is defined as right 0, right 1 and right 2.