Authentication User Manual

Introduction

The authentication module is a module made to manage users and permissions.

The goal of this module is to give a simple solution for user authentication in general and allow specific implementation as required.

It is meant to be as simple as it can be, there is no hierarchy between users.

User management

Every user has a password and a combination of rights associated to it. Since the passwords are not stored in the AUTH_USER structure directly, it allows to hide the passwords from the rest of the software.

Also, since the credentials (user/password combination) cannot be accessed from outside the authentication layer, it prevent access to any unauthorized credentials.

Given the goal to keep this piece of software minimalist, some features were removed or reduced to a bare minimum, otherwise the software obtained would have been too complex.

The chosen architecture scheme limits the access to the ROOT user and prevents common errors such not validating user inputs. Instead, a user must be given explicit right to be able to execute an operation. If somebody tries to add a right on a File System module as an HTTP user, unless it has been specifically implemented to do so using an HTTP manager, the scheme will prevent the access to other modules rights.

Functionalities

The main actions that can be done over a user are the following:

FunctionalityDescriptionFunction provided
Add/Create a new user

Creates a user

Returns in user a copy of the structure created.

Auth_CreateUser()
Get user information

Updates your user structure with the module's information.

Eventual consistency strategy based on demand.

Auth_GetUser()
Validate credentialsLook-up for a username/password match in the list of users and return it.Auth_ValidateCredentials()
Grant/Revoke right for a given userGrants or revoke a right or a group of rights to a user.

Auth_GrantRight() or

Auth_RevokeRight()

Known Limitations

The maximum number of distinct, exclusive rights that can be defined is set to 28.

If two distinct modules use the same right number (AUTH_RIGHT_xx) to create their own rights, this could cause problem. A user may not have the correct right to execute an operation but have the 'equivalent' right from the other module and at that moment the authentication module will not be able to tell the difference between both rights and will allow the user even if it should not have. To prevent this from happening, make sure that no AUTH_RIGHT_xx is re-used throughout the application.

Rights Definition

An application may define its own rights in the

Listing - Defining authentication right
#include  <auth.h>                                                            (1)


#define  APP_FILE_READ_RIGHT     AUTH_RIGHT_0                                 (2)
#define  APP_FILE_WRITE_RIGHT   (AUTH_RIGHT_1 | APP_FILE_READ_RIGHT)          (3)
#define  APP_FILE_DELETE_RIGHT  (AUTH_RIGHT_2 | APP_FILE_WRITE_RIGHT)         (4)

(1) Include the auth.h file.

(2) The READ right can only read and is defined as right 0.

(3) The WRITE right can write and read, it is defined as right 0 and right 1.

(3) The DELETE right can delete, write and read, it is defined as right 0, right 1 and right 2.