CactuseSecurity · tpurschke · May 10, 2020 · May 10, 2020 · May 10, 2020 · May 10, 2020
diff --git a/design/readme.md b/design/readme.md
@@ -0,0 +1,27 @@
+
+# Designziele
+
+- Einfache Entwicklung im (erweiterbaren) Team
+- Open Source
+- Clean Code (Doku, Tests, coding best practices ...)
+- Klare Modularisierung (mittels API), keine Logik im Client
+- Sicherer Code, mandantenfähige Nutzung, RBAC
+- Moderne & "zeitlose" GUI
+- Wartbarkeit (einfaches Einspielen, Bereitstellen von Updates, updater?)
+
+# Design-, Methoden- und Toolentscheidungen
+
+- GitHub.com
+- Rapid Prototyping (Trial & Error, MuP)
+- PostgreSQL
+- GraphQL statt REST API
+- Client: Apollo (https://www.apollographql.com/)
+- Verwendung von hasura
+
+# Funktionale Anforderungen (High-Level)
+
+- Kostengünstige Alternative zu den Kernfunktionalitäten der Konkurrenz (Tufin, Algosec, Skybox)
+- Abdecken der regulatorischen Richtlinien (Dokumentation Config-Änderungen, Rezertifizierung Config)
+- "CMDB Netzwerk"
+- kritische Funktionen nicht im Kernprodukt (Config-Änderungen)
+- Bereitstellung offener Schnittstellen zur Automatisierung
diff --git a/inventory/group_vars/backends b/inventory/group_vars/backends
@@ -6,6 +6,7 @@ api_user: "{{ iso_dbadmin_name }}"
 api_user_password: "{{ dbadmin_pwd }}"
 api_user_email: "{{ api_user }}@localhost"
 api_hasura_admin_secret: "st8chelt1er"
+api_hasura_jwt_secret: "todo: to be filled, migrating from auth0 to local auth with django-graphql-jwt"
 api_hostname: "127.0.0.1"
 api_port: 8080
 API_SECRET_KEY: '3s)3o5_@2d!t21nammq38hnux9cfz5#9o0&nb4y8yn5xvqdhh^'

diff --git a/roles/api/doc/api_calls.txt b/roles/api/doc/api_calls.txt
@@ -1,3 +1,12 @@
+Method: POST
+URL:    https://demo.itsecorg.de/api/v1/graphql
+
+Header:
+	x-hasura-admin-secret --> st8chelt1er
+	content-type --> application/json
+	x-hasura-role-id --> ?
+
+--------------------
 
 query listRulesOfAllDevicesResolved {
   device {

diff --git a/roles/api/doc/auth_using_jwt_with_passportjs.txt b/roles/api/doc/auth_using_jwt_with_passportjs.txt
@@ -0,0 +1,5 @@
+https://hasura.io/blog/add-authentication-and-authorization-to-next-js-8-serverless-apps-using-jwt-and-graphql/
+
+choosing between auth modes JWT & webhook: https://hasura.io/learn/graphql/hasura-auth-slack/choosing-jwt-mode/
+
+https://hasura.io/learn/graphql/hasura-auth-slack/choosing-jwt-mode/1-choosing-auth-mode/
diff --git a/roles/api/doc/authentication_using_django.txt b/roles/api/doc/authentication_using_django.txt
@@ -1,3 +1,57 @@
 source: https://www.howtographql.com/graphql-python/4-authentication/
+https://django-graphql-jwt.domake.io/en/latest/settings.html
+
+only for ubuntu upgraded to 20.04:
+	sudo apt purge php7.3-common
+	sudo a2dismod php7.3
+
+sudo apt install python3-pip python3-venv
+pip3 install django-graphql-jwt wheel
+
+git clone https://github.com/howtographql/graphql-python.git
+cd graphql-python
+python3 -m venv venv
+source venv/bin/activate
+
+pip3 install -r requirements.txt
+python3 hackernews/manage.py migrate
+python3 hackernews/manage.py runserver
+
+browse to http://localhost:8000/graphql/
+
+
+# mutation to create user:
+mutation {
+  createUser(username:"tim", email:"[email protected]", password:"abc") {
+    user {
+      id
+      username
+      email
+    }
+  }
+}
+
+# mutation to login in user with password and to obtain token:
+mutation {
+  tokenAuth(username: "tim", password: "abc") {
+    token
+  }
+}
+
+# mutation to verify token validity:
+mutation {
+  verifyToken(token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsImV4cCI6MTU4ODQ5MjIzNywib3JpZ0lhdCI6MTU4ODQ5MTkzN30.r1JNmgef6OQc4lMDQtoGiWI2JEWJcdBEvKVi-ptePEU") {
+    payload
+  }
+}
+
+# mutation to refresh token:
+mutation {
+  refreshToken(token: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VybmFtZSI6InRpbSIsImV4cCI6MTU4ODQ5MjIzNywib3JpZ0lhdCI6MTU4ODQ5MTkzN30.r1JNmgef6OQc4lMDQtoGiWI2JEWJcdBEvKVi-ptePEU") {
+    payload
+  }
+}
 
 https://blog.apollographql.com/authorization-in-graphql-452b1c402a9
+
+
diff --git a/roles/api/doc/tools.MD b/roles/api/doc/tools.MD
@@ -0,0 +1,3 @@
+- graphql query tool insomnia
+  - ubuntu: sudo snap install insomnia oder:
+  - https://insomnia.rest/download/core/?&ref=
diff --git a/roles/api/templates/docker-run.sh.j2 b/roles/api/templates/docker-run.sh.j2
@@ -4,4 +4,5 @@ docker run -d --net=host -p {{ api_listener_ip }}:8080:8080 \
        -e HASURA_GRAPHQL_DATABASE_URL=postgres://{{ api_user }}:{{ api_user_password }}@{{ isodb_host }}:{{ iso_db_port }}/{{ iso_db_name }} \
        -e HASURA_GRAPHQL_ENABLE_CONSOLE=true \
        -e HASURA_GRAPHQL_ADMIN_SECRET={{ api_hasura_admin_secret }} \
+       -e HASURA_GRAPHQL_JWT_SECRET={{ api_hasura_jwt_secret }} \
        hasura/graphql-engine:v1.0.0