* /login_jwt now accepts "jwt" key with an existing valid JWT as the
value
* upon successful authentication with the token a new token with
prolonged expiration time is issued for the authenticated user
and returned in the JSON response
* add "expires" value in the JSON response that contains a timestamp
integer when the issued token expires
* fix encode_json() calls formatting
* most of JWT related error messages are now appear in the log as INFO
instead of ERROR as they are not related to the system errors
Change-Id: Ie8e04534c8819dc756b3c64ebc4432ce442a1d31
* Users with "system" role can change all items accross the system including the password changing for other users.
* Login "system" has persistant "system" role.
* "system" login name is restricted for the user input.
Change-Id: Ibaecba35a86f71fa8895ce9d9feab8e768b65d14
* /login_jwt is now the only endpoint to issue JWT tokens
* JWT token admin/subscriber is provided based on the
NGCP_REALM/NGCP_API_REALM fcgi env values
(e.g.: https://localhost:1443/login_jwt = admin JWT token and
https://localhost/login_jwt = subscriber JWT token)
* Authorization: Bearer a= prefix is deprecated
* Clients cannot use subscriber JWT token to access admin
NGCP_API_REALM https://localhost:1443/api/...
and vice-versa
Change-Id: I46edf4c7aaf7bb835dc4ac6b7535aa2d6b5ac136
* the extra packing of the secret key during encode/decode
conflicts with the API v2 implementation
* move JWT "typ" from the payload to the header
Change-Id: Ica5822d810d6eaf7b3ae017f7037f25637b6f861
* add additional centralised checks for inactive and read_only users.
* use_userdata_from_session=0 now for all auth realms to cause the data
re-fetched from the database, to avoid scenarios when a user is set
as inactive or read_only and UI keeps using the cached data.
the change only affects cookie and JWT subscriber based sessions
as in all other cases, the auth data is fetched from the storage regardless.
* add is_active=1 flag for the internal 'system' role, as otherwise
access would be permanently denied for it.
* default 403 error for denied api requests is changed to "Forbidden"
instead of "Forbidden path".
Change-Id: I1d6d3c765ca8e017e11845c1f5260243a3963c3b
* new c.users.role 'lintercept', that set to when an admin user has
enabled 'lawful_intercept' flag
* only Administrator page /api/admins and /api/interceptions are available for
the role
* 'lintercept' role can only see own user and only change password
and email
Change-Id: Iadcb022a124afbd77b224e734026f380af0170e8
* add admin_jwt realm
* admin JWT tokens are now used to access all non /api
content
Change-Id: I711d6419f0b624b02b53876a8c9171ab638b5d09
(cherry picked from commit dc4d9ec84b5b1199f17631e9e1f9a39ab1996807)
* /admin_login_jwt now returns a JWT token for admin
users and also the JWT token is supported in the
authorization process for the admin requests
Change-Id: I987640d46bd8a339a959a6b2efb65b6dce06bf8c
* ccareadmin and ccare roles have full access to
Customers, Subscribers and their preferences/settings,
and read-only access to BillingProfiles,InvoceTemplates,
EmailTemplates
* ccare role is restricted to the related reseller
Change-Id: I6cf7d3adf912f0fa98d1ef5c02abea2f4331ec4b
- read key from specific config file
- key is hex encoded
+ fix: add libcryptx-perl as dependency (actually dep of libcrypt-jwt-perl)
+ fix: typo in perl (comma instead of assignment)
+ fix: chomp any preceeding newlines from jwt_secret
Change-Id: I6c6bd4dc0d7fa7fa43868afb13b4d8d838d90564
Kirill Solomko
Oleksandr Duts
Flaviu Mates
Guillem Jover
Rene Krenn
Gerhard Jungwirth