seamless 0.1.0
Last updated:
0 purchases
Description:
seamless 0.1.0
seamless provides an easy way to obtain an https session token via ssh.
It automates creation of user accounts and manages their authorized_keys as well as session token creation via forced ssh commands.
The authentication flow is as follows:
A client connects to seamless-realm@seamless-host via ssh and authenticates with a public key.
The key is restricted to only execute the token creation command of the seamless binary.
The seamless command returns session token that is signed with a secret specific to seamless-realm.
$ ssh -T seamless-realm@seamless-host
username.VgfAwA.v-xKIZh3qYawqcm2RRh4q-LPfVE
The client sends the obtained token in the HTTP Authorization header of its requests to protected-app.
The app uses the shared secret to validate the token.
GET / HTTP/1.1
Host: protected-app
Authorization: seamless username.VgfAwA.v-xKIZh3qYawqcm2RRh4q-LPfVE
Installation
From a deb package:
$ wget https://github.com/emulbreh/seamless/releases/download/v0.1.0/seamless_0.1.0_amd64.deb
$ sudo dpkg -i seamless_0.1.0_amd64.deb
As Python package:
$ pip install seamless
Setting up a seamless realm
A seamless realm is a user account on seamless-host. The creation and management of authorized_keys of these accounts is handled by seamless.
$ sudo seamless init seamless-realm
$ sudo seamless add seamless-realm /path/to/public/key --user username
A user with this public key is now able to get tokens via ssh:
$ ssh -T seamless-realm@seamless-host
username.VgfOLQ.EB6NTfXiyv7dWSKUMQJ38JXa5aw
or from Python
>>> import seamless
>>> seamless.get_token('seamless-realm@seamless-host')
'username.VgfOBA.dRBDY5EUmQvhB8OnqPDWlC1tml4'
Protecting a webservice with WSGI middleware
seamless ships with WSGI middleware that verifies that a valid seamless token is passed via the Authorization header.
from seamless.wsgi import SeamlessMiddleware
app = ...
app = SeamlessMiddleware(app, max_age=60, secret='...')
Requests without a valid Authorization header will be rejected with a 401 response.
Making requests to such a protected app is made easy with an auth plugin for requests:
import requests
from seamless.requests import SeamlessAuth
session = requests.Session()
session.auth = SeamlessAuth('name@seamless-host')
session.get('http://protected-app/')
The token obtained from seamless-host is cached.
It will be be automatically refreshed when it expires, and the failing request retried.
Caveats
If token validation is performed on a different host than token creation, clock skew may result in tokens that expire too early or too late.
License:
For personal and professional use. You cannot resell or redistribute these repositories in their original state.
Files In This Product: (if this is empty don't purchase this product)
Customer Reviews
There are no reviews.
