Skip to content

prosticoco/iMovies-authUnit

BranchesTags

Repository files navigation

Abstract

Imovies keeps a MySQL database of its employees, containing personal information and credentials. The company's CA webserver needs information from this database to authenticate its employees before issuing certificates. For security reasons, the company chose to store the database on a separate host from the webserver. However the web server still needs some access to this information. This repository contains server intended to run on top of the MySQL database to be only accessible from the companys webserver and provide the information needed from the database.

VM Instructions

(No installation required)

  1. Download the VM at : https://polybox.ethz.ch/index.php/apps/files/?dir=/Shared/ApplSecLab/VMs/VM_auth_unit&fileid=1679151160

  2. When logged in as user Master, open a terminal and type :

    sudo su bob

    If you have any trouble logging in to bob, his password can be found on the Github repo in the folder secrets

  3. Then navigate to the iMovies-authUnit folder

  4. Run the server :

    ./run

    You can choose the ip/port of the server as well as other options

    ./run -h
usage: auth_unit.py [-h] [--port PORT] [--ip IP] [--user USER] [--host HOST]
                    [--db DB] [--pwd PWD] [--cert CERT] [--sk SK]

optional arguments:
  -h, --help   show this help message and exit
  --port PORT  server port
  --ip IP      server ip
  --user USER  database username
  --host HOST  db username host ip
  --db DB      database name
  --pwd PWD    db user password
  --cert CERT  server certificate path
  --sk SK      server private key path

    Important Note : To ensure the server works, these options should not be specified as the defaults work :

    • pwd : already set to toor in the database which is already installed on the machine
    • db : already set to imovies in the database
    • user : already set to root in the database

    Additionnaly, the server is already loaded with a certificate and private key which can be found in the keys folder. These can be regenerated by navigating into this folder and calling the following script :

    ./genkeyscert.sh

Installation (Automatic)

Use install only script (need sudo rights)

sudo ./install_only.sh <MySQL Password> <Path to dumpfile>

Use install and run (unsafe)

sudo ./install_and_run.sh <MySQL Password> <Path to dumpfile>

This will run the server as root and should not be used.

Notes

Dump files can be found in the db/ folder. There are two dump files :

  1. containing only the user table
  2. containing user table + admin table

The database imovies can be reset at any time with a new dumpfile by running:

sh scripts/setup_mysql.sh <MySQL Password> <Path to dumpfile>

Installation (Manual)

Install Database

  1. install MySQL :
sudo apt-get install mysql-server

you will need to specify a password for the root account.

  1. Create imovies database :
echo 'create database imovies' | mysql -uroot -p<yourpassword>
  1. Load users table :
mysql -uroot -p<yourpassword> imovies < imovies_users.dump

Install Python Dependencies

Creating a new environment

If needed, create a virtual environment for python :

python3 -m venv <env_name>

Activating environment

Activate the environment :

source <env_name>/bin/activate

Install all dependencies

Pip should be installed with the newly created environment.

pip install -r requirements.txt

Usage

Run the server

By Default :

./run

By Default

  • The server will run on ip 127.0.0.1 and port 5001
  • The server tries to connect the database with name imovies using username root with password toor and hostname localhost

These options can be changed, to list options :

./run -h

Run the Client

A client can be used to test the server and analyse its behaviour :

python3 auth_client.py

Server Interaction

This section explains what kind of data the server expects from any querier.

Routes

Credential checking

Send a POST request to the given address :

POST <http://<server_ip>:<server_port>/check_user>

Containing a JSON of the following format :

{
	"uid" : "exampleUID",
	"pwd" : "aPassword"
}

and get back an answer with status code 200 containing a JSON of the following format :

{
	"valid" : false,
	"type" : 1,
	"description" : "Wrong Password" 
}

The type field is just an response type identifier.

Get Personal information from a user :

Send a POST request to the given address :

POST <http://<server_ip>:<server_port>/get_info>

containing a JSON of the following format :

{
	"uid" : "exampleUID"
}

and get back an answer with status code 200 containing a JSON of the following format :

{
	"found" : true,
	"info" : {
		"uid" : "pr",
		"lastname" : "prost",
		"firstname" : "adrien",
		"email" : "prostategmail.com",
		"pwd" : "e27a5b2abab6e9fb6b36b95db5deda8cb1796d93"
	}

}

or

{
	"found" : false,
	"info" : {}

}

Change information

Send a POST request to the given address :

POST <http://<server_ip>:<server_port>/update_info>

containing a JSON of the following format :

{
	"uid" : "uid affected by changes",
	"updates" : {
		"uid" : "pr",
		"lastname" : "prost",
		"firstname" : "adrien",
		"email" : "prostategmail.com",
		"pwd" : "strongpassword:)"
	}

}

The updates field can contain any subset of the fields uid,lastname,firstname,email and pwd. Hence the changes will only affect the specified fields.

Important: The password should not be hashed when sent to the server.

The server will send back a JSON of the following format :

{
	"updated" : true,
	"type" : 0,
	"description" : "Information updated with Success" 
}

Additionnal Information

The server will send back response with status code 400 whenever :

  • The client does not send a valid request
  • the request does not contain a valid JSON
  • The JSON does not contain valid fields

About

Component for a project pls dont hack

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages