diff --git a/README.md b/README.md index f2befaf..41f3d8c 100644 --- a/README.md +++ b/README.md @@ -293,6 +293,53 @@ If authentication is enabled, a provider must be authenticated by the adapter be - **username**: authenticate via username and password `{"username": , "password": }` +## Authentication + +By default, webfuse daemon will redirect each filesystem call to the first connected provider without any authentication. +This might be good for testing purposes or when an external authentication mechanism is used. In some use cases, explicit authentication is needed. Therefore, authentication can be enabled within webfuse daemon. + +When authentication is enabled, filesystem calls are only redirected to a connected provider, after `authenticate` +has succeeded. + +![authenticate](doc/authenticate.png) + +### Enable authentication + +Authentication is enabled, if one or more authenticators are registered via `wf_server_config`. + + static bool authenticate(struct wf_credentials * creds, void * user_data) + { + char const * username = wf_credentials_get(creds, "username"); + char const * password = wf_credentials_get(creds, "password"); + + return ((NULL != username) && (0 == strcmp(username, "bob")) && + (NULL != password) && (0 == strcmp(password, "???"))); + } + + wf_server_config * config = wf_server_config_create(); + wf_server_config_add_authenticator(config, "username", &authenticate, NULL); + + wf_server * server = wf_server_create(config); + //... + +### Authenticator types and credentidals + +Each authenticator is identified by a user defined string, called `type`. The type is provided by the `authenticate` request, so you can define different authenticators for different authentication types, e.g. username, certificate, token. + +Actually, only one type is used: **username** +**It is strongly recommended to prefix custom authenticator types with an underscore (`_`) to avoid name clashes.** + +The `wf_credentials`struct represents a map to access credentials as key-value pairs, where both, key and value, are of type string. + +#### username + +The authenticator type **username** is used to authenticate via username and password. Valid credentials should contain two keys. + +- **username** refers to the name of the user +- **password** refers to the password of the user + +**Note** that no further encryption is done, so this authenticator type should not be used over unencrypted websocket connections. + ## Build and run To install dependencies, see below. diff --git a/doc/authenticate.png b/doc/authenticate.png new file mode 100644 index 0000000..b0df17d Binary files /dev/null and b/doc/authenticate.png differ diff --git a/doc/authenticate.uml b/doc/authenticate.uml new file mode 100644 index 0000000..00a5f52 --- /dev/null +++ b/doc/authenticate.uml @@ -0,0 +1,28 @@ +@startuml +participant "Filesystem Provider\n(e.g. Webbrowser)" as provider +participant "webfuse\ndaemon" as daemon +actor "user" as user + +group directory listing fails without authentication +user -> daemon : ls +daemon -> daemon : is_authenticated +daemon -->x user : error: no entry +end + + +group authenticate +provider -> daemon: authenticate(type, credentials) +daemon -> daemon: get_authenticator(type) +daemon -> daemon: check(credentials) +daemon --> provider: result +end + +group directory listing succeeds after authentication +user -> daemon : ls +daemon -> daemon : is_authenticated +daemon -> provider : readdir +provider --> daemon : readdir_resp +daemon --> user : [., ..] +end + +@enduml \ No newline at end of file diff --git a/doc/concept.png b/doc/concept.png index e1c957e..9ab4e90 100644 Binary files a/doc/concept.png and b/doc/concept.png differ diff --git a/doc/concept.uml b/doc/concept.uml index 2b9543e..a7ec266 100644 --- a/doc/concept.uml +++ b/doc/concept.uml @@ -23,7 +23,7 @@ group directory listing user -> daemon : ls daemon -> provider : readdir provider --> daemon : readdir_resp -daemon --> user : "[., ..]" +daemon --> user : [., ..] end ...