1527 lines
68 KiB
TeX
1527 lines
68 KiB
TeX
% =========================================================================== %
|
|
\part{Practical part}
|
|
|
|
\n{1}{Introduction}
|
|
|
|
A part of the task of this thesis was to build an actual Password Compromise
|
|
Monitoring Tool. Therefore, the development process, the tools and practices
|
|
used generally, and with more specificity the outcome are all described in the
|
|
following sections. A whole section is dedicated to application architecture,
|
|
whereby relevant engineering choices are justified and motifs preceding the
|
|
decisions are explained. This part then flows into recommendations for more of
|
|
a production deployment and concludes by describing the validation methods
|
|
chosen and used to ensure correctness and stability of the program.
|
|
|
|
|
|
\n{2}{Kudos}
|
|
|
|
The program that has been developed as part of this thesis used and utilised a
|
|
great deal of free (as in \textit{freedom}) and open-source software in the
|
|
process, either directly or as an outstanding work tool, and the author would
|
|
like to take this opportunity to recognise that fact\footnotemark.
|
|
|
|
In particular, the author acknowledges that this work would not be the same
|
|
without:
|
|
|
|
\begin{itemize}
|
|
\item vim (\url{https://www.vim.org/})
|
|
\item Arch Linux (\url{https://archlinux.org/})
|
|
\item ZSH (\url{https://www.zsh.org/})
|
|
\item kitty (\url{https://sw.kovidgoyal.net/kitty/})
|
|
\item Nix (\url{https://nixos.org/explore.html})
|
|
\item pre-commit (\url{https://pre-commit.com/})
|
|
\item Podman (\url{https://podman.io/})
|
|
\item Go (\url{https://go.dev/})
|
|
\end{itemize}
|
|
|
|
All of the code written has been typed into VIM (\texttt{9.0}), the shell used
|
|
to run the commands was ZSH, both running in the author's terminal emulator of
|
|
choice, \texttt{kitty}. The development machines ran a recent installation of
|
|
\textit{Arch Linux (by the way)} and Fedora 38, both using a
|
|
\texttt{6.\{2,3,4\}.x} XanMod variant of the Linux kernel.
|
|
|
|
\footnotetext{\textbf{Disclaimer:} the author is not affiliated with any of the
|
|
projects mentioned on this page.}
|
|
|
|
|
|
\n{1}{Development}
|
|
|
|
The source code of the project was being versioned since the start, using the
|
|
popular and industry-standard git (\url{https://git-scm.com}) source code
|
|
management (SCM) tool. Commits were made frequently and, if at all possible,
|
|
for small and self-contained changes of code, trying to follow sane commit
|
|
message \emph{hygiene}, i.e.\ striving for meaningful and well-formatted commit
|
|
messages. The name of the default branch is \texttt{development}, since that is
|
|
what the author likes to choose for new projects that are not yet stable (it is
|
|
in fact the default in author's \texttt{.gitconfig}).
|
|
|
|
|
|
\n{2}{Commit signing}
|
|
|
|
Since git allows cryptographically \emph{singing} all commits, it would be
|
|
unwise not to take advantage of this. For the longest time, GPG was the only
|
|
method available for signing commits in git; however, that is no longer
|
|
applicable~\cite{agwagitssh}. These days, it is also possible to both sign and
|
|
verify one's git commits (and tags!) using SSH keys, namely those produced by
|
|
OpenSSH, which \emph{can} be the same ones that can be used to log in to remote
|
|
systems. The author has, of course, not reused the same key pairs that are used
|
|
to connect to machines for signing commits. A different, \texttt{Ed25519}
|
|
elliptic curve key pairs have been used specifically for signing. Public
|
|
components of these keys are enclosed in this thesis as
|
|
Appendix~\ref{appendix:signingkeys} for future reference.
|
|
|
|
The validity of a signature on a particular commit can be viewed with git using
|
|
the following commands (the \% sign denotes the shell prompt):
|
|
|
|
\vspace{\parskip}
|
|
\begin{lstlisting}[language=bash, caption={Verifying the signature of a git commit},
|
|
label=gitverif, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg}]
|
|
% cd <cloned project dir>
|
|
% git show --show-signature <commit>
|
|
% # alternatively:
|
|
% git verify-commit <commit>
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
There is one caveat to this though, git first needs some additional
|
|
configuration for the code in Listing~\ref{gitverif} to work as one would
|
|
expect. Namely that the public key used to verify the signature needs to be
|
|
stored in git's ``allowed signers file'', then git needs to be told where that
|
|
file is located using the configuration value
|
|
\texttt{gpg.ssh.allowedsignersfile} and finally the configuration value of the
|
|
\texttt{gpg.format} field needs to be set to \texttt{ssh}. Luckily, because
|
|
git also allows the configuration values to be local to each repository, both
|
|
of the mentioned issues can be solved by running the following commands from
|
|
inside the cloned repository:
|
|
|
|
\vspace{\parskip}
|
|
\begin{lstlisting}[language=bash, caption={Prepare allowed signers file and signature format for git},
|
|
label=gitsshprep, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg}]
|
|
% # set the signature format for the local repository.
|
|
% git config --local gpg.format ssh
|
|
% # save the public key.
|
|
% cat > ./.tmp-allowed_signers \
|
|
<<<'surtur <insert literal surtur pubkey>
|
|
leo <insert literal leo pubkey>'
|
|
% # set the allowed signers file path for the local repository.
|
|
% git config --local gpg.ssh.allowedsignersfile=./.tmp-allowed_signers
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
After the code in Listing~\ref{gitsshprep} is run, everything from the
|
|
Listing~\ref{gitverif} should remain applicable for the lifetime of the
|
|
repository or until git changes implementation of signature verification. The
|
|
git \texttt{user.name} that can be seen on the commits in the \textbf{Author}
|
|
field is named after the machine that was used to develop the program, since
|
|
the author uses different signing keys on each machine. That way the committer
|
|
machine can be determined post-hoc.
|
|
|
|
For future reference, git has been used in the version \texttt{git version
|
|
2.4\{0,1,2\}.x}.
|
|
|
|
|
|
\n{2}{Continuous Integration}
|
|
|
|
To increase both the author's and public confidence in the atomic changes made
|
|
over time, it was attempted to thoroughly \emph{integrate} them using a
|
|
continuous integration (CI) service that was plugged into the main source code
|
|
repository since the early stages of development. This, of course, was again
|
|
self-hosted, including the workers. The tool of choice there was Drone
|
|
(\url{https://drone.io}) and the ``docker'' runner (in fact it runs any OCI
|
|
container) was used to run the builds.
|
|
|
|
The way this runner works is that it creates an ephemeral container for every
|
|
pipeline step and executes given \emph{commands} inside of it. At the end of
|
|
each step the container is discarded, while the repository, which is mounted
|
|
into each container's \texttt{/drone/src} is persisted between steps, allowing
|
|
it to be cloned only from \emph{origin} only at the start of the pipeline and
|
|
then shared for all the following steps, saving bandwidth, time and disk
|
|
writes.
|
|
|
|
The entire configuration used to run the pipelines can be found in a file named
|
|
\texttt{.drone.yml} at the root of the main source code repository. The
|
|
workflow consists of four pipelines, which are run in parallel. Two main
|
|
pipelines are defined to build the frontend assets, the \texttt{pcmt} binary
|
|
and run tests on \texttt{x86\_64} GNU/Linux targets, one for each of Arch and
|
|
Alpine (version 3.1\{7,8\}). These two pipelines are identical apart from
|
|
OS-specific bits such as installing a certain package, etc. For the record,
|
|
other OS-architecture combinations were not tested.
|
|
|
|
A third pipeline contains instructions to build a popular static analysis tool
|
|
called \texttt{golangci-lint}, which is sort of a meta-linter, bundling a
|
|
staggering amount of linters (linter is a tool that performs static code
|
|
analysis and can raise awareness of programming errors, flag potentially buggy
|
|
code constructs, or \emph{mere} stylistic errors) - from sources and then
|
|
perform the analysis of project's codebase using the freshly built binary. If
|
|
the result of this step is successful, a handful of code analysis services get
|
|
pinged in the next steps to take notice of the changes to project's source code
|
|
and update their metrics, details can be found in the main Drone configuration
|
|
file \texttt{.drone.yml} and the configuration for the \texttt{golangci-lint}
|
|
tool itself (such as what linters are enabled/disabled and with what settings)
|
|
can be found in the root of the repository in the file named
|
|
\texttt{.golangci.yml}.
|
|
|
|
The fourth pipeline focuses on linting the \texttt{Containerfile} and building
|
|
the container and pushing in to a public container registry, although the
|
|
latter action is only performed on feature branches, \emph{pull request} or
|
|
\emph{tag} events.
|
|
|
|
\obr{Drone CI median build
|
|
time}{fig:drone-median-build}{.84}{graphics/drone-median-build}
|
|
|
|
The median build time as of writing was 1 minute, which includes running all
|
|
four pipelines, and that is acceptable. Build times might of course vary
|
|
depending on the hardware, for reference, these builds were run on a machine
|
|
equipped with a Zen 3 Ryzen 5 5600 CPU with nominal clock times, DDR4 @ 3200
|
|
MHz RAM, a couple of PCIe Gen 4 NVMe drives in a mirrored setup (using ZFS) and
|
|
a 600 Mbps downlink, software-wise running Arch with an author-flavoured Xanmod
|
|
kernel version 6.\{2,3,4\}.x.
|
|
|
|
|
|
\n{2}{Source code repositories}\label{sec:repos}
|
|
|
|
The git repository containing source code of the \texttt{pcmt} project:\\
|
|
\url{https://git.dotya.ml/mirre-mt/pcmt.git}.
|
|
The git repository hosting the \texttt{pcmt} configuration schema:\\
|
|
\url{https://git.dotya.ml/mirre-mt/pcmt-config-schema.git}.
|
|
The repository containing the \LaTeX{} source code of this thesis:\\
|
|
\url{https://git.dotya.ml/mirre-mt/masters-thesis.git}.
|
|
|
|
All the pertaining source code was published in repositories on a publicly
|
|
available git server operated by the author, the reasoning \emph{pro}
|
|
self-hosting being that it is the preferred way of guaranteed autonomy over
|
|
one's source code, as opposed to large silos owned by big corporations having a
|
|
track record of arguably not always deciding with user's best interest in mind
|
|
(although recourse has been observed~\cite{ytdl}). When these providers act on
|
|
impulse or under public pressure they can potentially (at least temporarily)
|
|
disrupt operations of their users. Thus, they are not only beholding their
|
|
users to lengthy \emph{terms of service} that \emph{are subject to change at
|
|
any given moment}, but also outside factors beyond their control. Granted,
|
|
decentralisation can take a toll on discoverability of the project, but that is
|
|
only a concern if rapid market penetration is a goal, not when aiming for an
|
|
organically grown community.
|
|
|
|
|
|
\n{2}{Toolchain}
|
|
|
|
Throughout the creation of this work, the \emph{then-current} version of the Go
|
|
programming language was used, i.e. \texttt{go1.20}.
|
|
|
|
To read more on why Go was chosen in particular, see
|
|
Appendix~\ref{appendix:whygo}. Equally, Nix and Nix-based tools such as
|
|
\texttt{devenv} have also aided heavily during development, more on those is
|
|
written in Appendix~\ref{appendix:whynix}.
|
|
|
|
\tab{Tool/Library-Usage Matrix}{tab:toolchain}{1.0}{ll}{
|
|
\textbf{Tool/Library} & \textbf{Usage} \\
|
|
Go programming language & program core \\
|
|
Dhall configuration language & program configuration \\
|
|
Echo & HTTP handlers, controllers \\
|
|
ent & ORM using graph-based modelling \\
|
|
pq & Pure-Go Postgres drivers \\
|
|
bluemonday & sanitising HTML \\
|
|
TailwindCSS & utility-first approach to Cascading Style Sheets \\
|
|
PostgreSQL & persistent data storage \\
|
|
}
|
|
|
|
Table~\ref{tab:depsversionmx} contains the names and versions of the most
|
|
important libraries and supporting software that were used to build the
|
|
application.
|
|
|
|
\tab{Dependency-Version Matrix}{tab:depsversionmx}{1.0}{ll}{
|
|
\textbf{Name} & \textbf{version} \\
|
|
\texttt{echo} (\url{https://echo.labstack.com/}) & 4.11.1 \\
|
|
\texttt{go-dhall} (\url{https://github.com/philandstuff/dhall-golang}) & 6.0.2\\
|
|
\texttt{ent} (\url{https://entgo.io/}) & 0.12.3 \\
|
|
\texttt{pq} (\url{https://github.com/lib/pq/}) & 1.10.9 \\
|
|
\texttt{bluemonday} (\url{https://github.com/microcosm-cc/bluemonday}) & 1.0.25 \\
|
|
\texttt{tailwindcss} (\url{https://tailwindcss.com/}) & 3.3.0 \\
|
|
\texttt{PostgreSQL} (\url{https://www.postgresql.org/}) & 15.3 \\
|
|
}
|
|
|
|
Additionally, the dependency-version mapping for the Go program can be inferred
|
|
from looking at the \texttt{go.mod}'s first \textit{require} block at any point
|
|
in time. The same can be achieved for \emph{frontend} by glancing at the
|
|
\texttt{package-lock.json} file.
|
|
|
|
|
|
\n{1}{Application architecture}
|
|
|
|
The application is written in Go and uses \textit{gomodules}. The full name of
|
|
the module is \texttt{git.dotya.ml/mirre-mt/pcmt}.
|
|
|
|
\obr{Application class diagram}{fig:classdiagram}{.79}{graphics/pcmt-class-diagram.pdf}
|
|
|
|
\n{2}{Package structure}
|
|
|
|
The source code of the module is organised into smaller, self-contained Go
|
|
\emph{packages} appropriately along a couple of domains: logging, core
|
|
application, web routers, configuration and settings, etc. In Go, packages are
|
|
delimited by folder structure -- each folder can be a package.
|
|
|
|
Generally speaking, the program aggregates decision points into central places,
|
|
such as \texttt{run.go}, which then imports child packages that facilitate each
|
|
of the tasks of loading the configuration, connecting to the database and
|
|
running migrations, consolidating flag, environment variable and
|
|
configuration-based values into canonical \emph{settings} \texttt{struct},
|
|
setting up web routes, authenticating requests, or handling \texttt{signals}
|
|
and performing graceful shutdowns.
|
|
|
|
\n{3}{Internal package}
|
|
|
|
The \texttt{internal} package was not used as of writing, but the author plans
|
|
to eventually migrate \emph{internal} logic of the program into the internal
|
|
package to prevent accidental imports.
|
|
|
|
|
|
\n{2}{Logging}
|
|
|
|
The program uses \emph{dependency injection} to share a single logger instance
|
|
(the same technique is also used to share the database client). This logger is
|
|
then passed around as a pointer, so that the underlying data stays the same or
|
|
is modified concurrently for all consumers. As a rule of thumb throughout the
|
|
application, every larger \texttt{struct} that needs to be passed around is
|
|
passed around as a pointer.
|
|
|
|
An experimental (note: not anymore, with \texttt{go1.21} it was brought into
|
|
Go's \textit{stdlib}) library for \textit{structured} logging \texttt{slog} was
|
|
used to facilitate every logging need the program might have. It supports both
|
|
JSON and plain-text logging, which was made configurable by the program. Either
|
|
a configuration file value or an environment variable can be used to set this.
|
|
|
|
There are four log levels available by default (\texttt{DEBUG}, \texttt{INFO},
|
|
\texttt{WARNING}, \texttt{ERROR}) and the pertinent library funtions are
|
|
parametric. The first parameter of type \texttt{string} is the main message,
|
|
that is supplied as a \emph{value} to the \emph{key} named appropriately
|
|
`\texttt{msg}', a feature of structured loggers which can later be used for
|
|
filtering. Any other parameters need to be supplied in pairs, serving as key
|
|
and value, respectively.
|
|
|
|
This main \texttt{slog} interface has been extended in package
|
|
\texttt{slogging} to also provide the formatting functionality of the
|
|
\texttt{fmt} standard library package. This was achieved by directly embedding
|
|
\texttt{slog.Logger} in a custom \texttt{struct} type named \texttt{Slogger}
|
|
and implementing the additional methods on the custom type. The new type that
|
|
embeds the original \texttt{slog.Logger} gets to keep its methods thanks to the
|
|
composition nature of Go. Thus, common formatting directives like the one seen
|
|
in Listing~\ref{goFmtExpression} are now supported with the custom logger, in
|
|
addition to anything the base \texttt{slog.Logger} offers.
|
|
|
|
\vspace{\parskip}
|
|
\begin{lstlisting}[language=Go, caption={Example formatting expression supplied
|
|
to the logger}, label=goFmtExpression, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
otherkeywords={\%s, \%q, \%v},
|
|
]
|
|
slogger.Debugf("operation %q for user %q completed at %s", op, usr.ID, time.Now())
|
|
\end{lstlisting}
|
|
|
|
Furthermore, functionality was added to support changing the log level at
|
|
runtime, which is a convenient feature in certain situations.
|
|
|
|
|
|
\n{2}{Authentication}
|
|
|
|
The authentication logic is relatively simple and its core has mostly been
|
|
isolated into a custom \emph{middleware}. User passwords are hashed using a
|
|
secure KDF before ever being sent to the database. The KDF of choice is
|
|
\texttt{bcrypt} (with a sane \emph{Cost} of 10), which automatically includes
|
|
\emph{salt} for the password and provides ``length-constant'' time hash
|
|
comparisons. The author plans to add support for the more modern
|
|
\texttt{scrypt} and the state-of-the-art, P-H-C (Password Hashing Competition)
|
|
winner algorithm \texttt{Argon2}
|
|
(\url{https://github.com/P-H-C/phc-winner-argon2}) for flexibility.
|
|
|
|
\n{2}{SQLi prevention}
|
|
|
|
No raw SQL queries are directly used to access the database, thus decreasing
|
|
the likelihood of SQL injection attacks. Instead, parametric queries are
|
|
constructed in code using a graph-like API of the \texttt{ent} library, which
|
|
is attended to in depth in Section~\ref{sec:dbschema}.
|
|
|
|
|
|
\n{2}{Configurability}
|
|
|
|
Virtually any important value in the program has been made into a configuration
|
|
value, so that the operator can customise the experience as needed. A choice of
|
|
sane configuration defaults was attempted, which resulted in the configuration
|
|
file essentially only needing to contain secrets, unless there is a need to
|
|
override the defaults. It is not entirely \emph{zero-config} situation, rather
|
|
a \emph{minimal-config} one. An example can be seen in
|
|
Section~\ref{sec:configuration}.
|
|
|
|
|
|
\n{2}{Embedded assets}
|
|
|
|
An important thing to mention is embedded assets and templates. Go has multiple
|
|
mechanisms to natively embed arbitrary files directly into the binary during
|
|
the regular build process. \texttt{embed.FS} from the standard library'
|
|
\texttt{embed} package was used to bundle all template files and web assets,
|
|
such as images, logos and stylesheets at the module level. These are then
|
|
passed around the program as needed, such as to the \texttt{handlers} package.
|
|
|
|
There is also a toggle in the application configuration (\texttt{LiveMode}),
|
|
which can instruct the program at start-up to either rely entirely on embedded
|
|
assets or pull live template and asset files from the filesystem. The former
|
|
option makes the application more portable as it is wholly self-contained,
|
|
while the latter allows for flexibility and customisation not only during
|
|
development.
|
|
|
|
|
|
\n{2}{Composability}
|
|
|
|
The core templating functionality was provided by the \texttt{html/template} Go
|
|
standard library package. Echo's \texttt{Renderer} interface has been
|
|
implemented, so that template rendering could be performed directly using
|
|
Echo's built-in facilities in a more ergonomic manner using \texttt{return
|
|
c.Render(http.StatusOk, "home.tmpl")}.
|
|
|
|
\vspace{\parskip}
|
|
\begin{lstlisting}[
|
|
caption={Conditionaly enabling functionality inside a Go template based on user access level},
|
|
label=tmplConditionals, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
morekeywords={if,and,end},
|
|
]
|
|
{{ if and .User .User.IsLoggedIn .User.IsAdmin }}
|
|
...
|
|
{{ end }}
|
|
\end{lstlisting}
|
|
|
|
Templates used for rendering of the web pages were created in a composable
|
|
manner, split into smaller, reusable parts, such as \texttt{footer.tmpl} and
|
|
\texttt{head.tmpl}. Those could then be included e.g.\ using \texttt{\{\{
|
|
template "footer.tmpl" \}\}}. Specific functionality is conditionally
|
|
executed based on the determined level of access of the user, see
|
|
Listing~\ref{tmplConditionals} for reference.
|
|
|
|
A popular HTML sanitiser \texttt{bluemonday} has been employed to aid with
|
|
battling XSS. The program first runs every template through the sanitiser
|
|
before rendering it, so that any user-controlled inputs are handled safely.
|
|
|
|
|
|
\n{2}{Server-side rendering}
|
|
|
|
The application constructs the web pages \emph{entirely} on the server side,
|
|
and it runs without a single line of JavaScript, of which the author is
|
|
especially proud. It improves load times, decreases the attack surface,
|
|
increases maintainability and reduces cognitive load that is required when
|
|
dealing with JavaScript. Of course, that requires extensive usage of
|
|
non-semantic \texttt{POST} requests in web forms even for data updates (where
|
|
\texttt{PUT}s should be used) and the accompanying frequent full-page
|
|
refreshes, but that still is not enough to warrant the use of JavaScript.
|
|
|
|
|
|
\n{2}{Frontend}
|
|
|
|
Frontend-side, the application was styled using TailwindCSS, which promotes
|
|
usage of flexible \emph{utility-first} classes in the markup (HTML) instead of
|
|
separating out the specific styles out into all-encompassing classes. The
|
|
author understands this is somewhat of a preference issue and does not hold
|
|
hard opinions in either direction, however, a note has to be made that this
|
|
approach empirically allows for a rather quick UI prototyping. Tailwind was
|
|
chosen partially also because it \emph{looked} nice, had a reasonably detailed
|
|
documentation and offered built-in support for dark/light mode. The templates
|
|
containing the CSS classes need to be parsed by Tailwind in order to construct
|
|
the final stylesheet. Upstream provides the original CLI tool called
|
|
\texttt{tailwindcss}, which can be used exactly for that action. Overall, simple
|
|
and accessible layouts were preferred, a single page was rather split into
|
|
multiple when becoming convoluted, and data-backed efforts were made to create
|
|
reasonably contrasting pages.
|
|
|
|
\n{3}{Frontend experiments}
|
|
|
|
As an aside, the author has briefly experimented with WebAssembly for this
|
|
project, but has ultimately scrapped the functionality in favour of the
|
|
entirely server-side rendered one. It is possible that it would get revisited
|
|
if the client-side dynamic functionality was necessary and performance
|
|
mattered. Even from the short experiments it was obvious how much faster
|
|
WebAssembly was when compared to JavaScript.
|
|
|
|
|
|
\newpage
|
|
\n{2}{User isolation}
|
|
|
|
Users are allowed into certain parts of the application based on the role they
|
|
currently possess. For the moment, two basic roles were envisioned, while this
|
|
list might get amended in the future, should the need arise:
|
|
|
|
\begin{itemize}
|
|
\item Administrator
|
|
\item User
|
|
\end{itemize}
|
|
|
|
\obr{Application use case diagram}{fig:usecasediagram}{.9}{graphics/pcmt-use-case.pdf}
|
|
|
|
It is paramount that the program protects itself from the insider threats as
|
|
well and therefore each role is only able to perform actions that it is
|
|
explicitly assigned. While there definitely is certain overlap between the
|
|
capabilities of the two outlined roles, each also possesses unique features
|
|
that the other one does not.
|
|
|
|
For instance, the administrator role is not able to perform searches on the
|
|
breach data directly using their administrator account, for that a separate
|
|
user account has to be devised. Similarly, the regular user is not able to
|
|
manage breach lists and other users, because that is a privileged operation.
|
|
|
|
In-application administrators are not able to view sensitive (any) user data
|
|
and should therefore only be able to perform the following actions:
|
|
|
|
\begin{itemize}
|
|
\item Create user accounts
|
|
\item View list of users
|
|
\item View user email
|
|
\item Change user email
|
|
\item Toggle whether user is an administrator
|
|
\item Delete user accounts
|
|
\end{itemize}
|
|
|
|
Let us consider a case when a user manages self, while demoting from
|
|
administrator to a regular user is permitted, promoting self to be an
|
|
administrator would constitute a \emph{privilege escalation} and likely be a
|
|
precursor to at least a \emph{denial of service} of sorts.
|
|
|
|
|
|
\n{2}{Zero trust principle}
|
|
|
|
\textit{Confidentiality, i.e.\ not trusting the provider}
|
|
|
|
There is no way for the application (and consequently, the in-application
|
|
administrator) to read user's data. This is possible by virtue of encrypting
|
|
the pertinent data before saving them in the database by a state-of-the-art
|
|
\emph{age} key~\cite{age} (backed by X25519~\cite{x25519rfc7748}), which is in
|
|
turn safely stored encrypted by a passphrase that only the user controls. Of
|
|
course, the user-supplied password is run by a password based key derivation
|
|
function (PBKDF: a key derivation function with a sliding computational cost)
|
|
before letting it encrypt the \emph{age} key.
|
|
|
|
The \emph{age} key is only generated when the user changes their password for
|
|
the first time to prevent scenarios such as in-application administrator with
|
|
access to physical database being able to both \textbf{recover} the key from
|
|
the database and \textbf{decrypt} it given that they already know the user
|
|
password (because they set it), which would subsequently give them unbounded
|
|
access to any future encrypted data, as long as they would be able to maintain
|
|
their database access. This is why the \emph{age} key generation and protection
|
|
are bound to the first password change. Of course, the evil administrator could
|
|
just perform the change themselves; however, the user would at least be able to
|
|
find those changes in the activity logs and know not to use the application.
|
|
But given the scenario of a total database compromise, the author finds all
|
|
hope is already lost at that point. At least when the database is dumped, it
|
|
only contains non-sensitive, functional information in plain test, everything
|
|
else should be encrypted.
|
|
|
|
Consequently, both the application operators and the in-application
|
|
administrators should never be able to learn the details of what the user is
|
|
tracking, the same being applicable even to potential attackers with direct
|
|
access to the database. Thus, the author maintains that every scenario that
|
|
could potentially lead to a data breach (apart from a compromised user machine
|
|
and the like) would have to entail some form of operating memory acquisition,
|
|
for instance using \texttt{LiME}~\cite{lime}, or perhaps directly the
|
|
\emph{hypervisor}, if considering a virtualised (``cloud'') environments.
|
|
|
|
|
|
\n{1}{Implementation}
|
|
|
|
\n{2}{Dhall Configuration Schema}\label{sec:configuration}
|
|
|
|
The configuration schema was at first being developed as part of the main
|
|
project's repository, before it was determined that it would benefit both the
|
|
development and overall clarity if the schema lived in its own repository (see
|
|
Section~\ref{sec:repos} for details). This now enables the schema to be
|
|
independently developed and versioned, and only pulled into the main
|
|
application whenever the application is determined to be ready for it.
|
|
|
|
|
|
% \vspace{\parskip}
|
|
\smallskip
|
|
% \vspace{\baselineskip}
|
|
\begin{lstlisting}[language=Haskell, caption={Dhall configuration schema version 0.0.1-rc.2},
|
|
label=dhallschema, basicstyle=\linespread{0.9}\footnotesize\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
morekeywords={Text, Natural, Optional, Type}
|
|
]
|
|
let Schema =
|
|
{ Type =
|
|
{ Host : Text
|
|
, Port : Natural
|
|
, HTTP :
|
|
{ Domain : Text
|
|
, Secure : Bool
|
|
, AutoTLS : Bool
|
|
, TLSKeyPath : Text
|
|
, TLSCertKeyPath : Text
|
|
, HSTSMaxAge : Natural
|
|
, ContentSecurityPolicy : Text
|
|
, RateLimit : Natural
|
|
, Gzip : Natural
|
|
, Timeout : Natural
|
|
}
|
|
, Mailer :
|
|
{ Enabled : Bool
|
|
, Protocol : Text
|
|
, SMTPAddr : Text
|
|
, SMTPPort : Natural
|
|
, ForceTrustServerCert : Bool
|
|
, EnableHELO : Bool
|
|
, HELOHostname : Text
|
|
, Auth : Text
|
|
, From : Text
|
|
, User : Text
|
|
, Password : Text
|
|
, SubjectPrefix : Text
|
|
, SendPlainText : Bool
|
|
}
|
|
, LiveMode : Bool
|
|
, DevelMode : Bool
|
|
, AppPath : Text
|
|
, Session :
|
|
{ CookieName : Text
|
|
, CookieAuthSecret : Text
|
|
, CookieEncrSecret : Text
|
|
, MaxAge : Natural
|
|
}
|
|
, Logger : { JSON : Bool, Fmt : Optional Text }
|
|
, Init : { CreateAdmin : Bool, AdminPassword : Text }
|
|
, Registration : { Allowed : Bool }
|
|
}
|
|
}
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
Full schema with type annotations can be seen in Listing~\ref{dhallschema}.
|
|
|
|
The \texttt{let} statement declares a variable called \texttt{Schema} and
|
|
assigns to it the result of the expression on the right side of the equals
|
|
sign, which has for practical reasons been trimmed and is displayed without the
|
|
\emph{default} block. The default block is instead shown in its own
|
|
Listing~\ref{dhallschemadefaults}.
|
|
|
|
The main configuration comprises both raw attributes and child records, which
|
|
allow for grouping of related functionality. For instance, configuration
|
|
settings pertaining mailserver setup are grouped in a record named
|
|
\textbf{Mailer}. Its attribute \textbf{Enabled} is annotated as \textbf{Bool},
|
|
which was deemed appropriate for an on-off switch-like functionality, with the
|
|
only permissible values being either \emph{True} or \emph{False}.
|
|
|
|
Do note that in Dhall $true\ != True$, since internally \textbf{True} is a
|
|
\texttt{Bool} constant built directly into Dhall (see ``The
|
|
Prelude''~\cite{dhallprelude} for reference), while \textbf{true} is evaluated
|
|
as an \emph{unbound} variable, that is, a variable \emph{not} defined in the
|
|
current \emph{scope} and thus not \emph{present} in the current scope.
|
|
|
|
Another one of Dhall's specialties is that `$==$' and `$!=$' (in)equality
|
|
operators \textbf{only} work on values of type \texttt{Bool}, which for example
|
|
means that variables of type \texttt{Natural} (\texttt{uint}) or \texttt{Text}
|
|
(\texttt{string}) cannot be compared directly as is the case in other
|
|
languages. That either leaves the comparing work for a higher-level language
|
|
(such as Go). Alternatively, from the perspective of the Dhall authors
|
|
\emph{enums} are the promoted way to solve this when the value matters, i.e.\
|
|
derive a custom \emph{named} type from a primitive type and compare
|
|
\emph{that}.
|
|
|
|
\newpage
|
|
% \vspace{\parskip}
|
|
\begin{lstlisting}[language=Haskell, caption={Dhall configuration defaults for
|
|
schema version 0.0.1-rc.2},
|
|
label=dhallschemadefaults, basicstyle=\linespread{0.9}\footnotesize\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
]
|
|
, default =
|
|
-- | have sane defaults.
|
|
{ Host = ""
|
|
, Port = 3000
|
|
, HTTP =
|
|
{ Domain = ""
|
|
, Secure = False
|
|
, AutoTLS = False
|
|
, TLSKeyPath = ""
|
|
, TLSCertKeyPath = ""
|
|
, HSTSMaxAge = 0
|
|
, ContentSecurityPolicy = ""
|
|
, RateLimit = 0
|
|
, Gzip = 0
|
|
, Timeout = 0
|
|
}
|
|
, Mailer =
|
|
{ Enabled = False
|
|
, Protocol = "smtps"
|
|
, SMTPAddr = ""
|
|
, SMTPPort = 465
|
|
, ForceTrustServerCert = False
|
|
, EnableHELO = False
|
|
, HELOHostname = ""
|
|
, Auth = ""
|
|
, From = ""
|
|
, User = ""
|
|
, Password = ""
|
|
, SubjectPrefix = "pcmt - "
|
|
, SendPlainText = True
|
|
}
|
|
, LiveMode =
|
|
-- | LiveMode controls whether the application looks for
|
|
-- | directories "assets" and "templates" on the filesystem or
|
|
-- | in its bundled Embed.FS.
|
|
False
|
|
, DevelMode = False
|
|
, AppPath =
|
|
-- | AppPath specifies where the program looks for "assets" and
|
|
-- | "templates" in case LiveMode is True.
|
|
"."
|
|
, Session =
|
|
{ CookieName = "pcmt_session"
|
|
, CookieAuthSecret = ""
|
|
, CookieEncrSecret = ""
|
|
, MaxAge = 3600
|
|
}
|
|
, Logger = { JSON = True, Fmt = None Text }
|
|
, Init =
|
|
{ CreateAdmin =
|
|
-- | if this is True, attempt to create a user with admin
|
|
-- | privileges with the password specified below
|
|
False
|
|
, AdminPassword =
|
|
-- | used for the first admin, forced change on first login.
|
|
"50ce50fd0e4f5894d74c4caecb450b00c594681d9397de98ffc0c76af5cff5953eb795f7"
|
|
}
|
|
, Registration.Allowed = True
|
|
}
|
|
}
|
|
|
|
in Schema
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
\vspace*{-\baselineskip}
|
|
\vspace*{-\baselineskip}
|
|
\n{2}{Data integrity and authenticity}
|
|
|
|
The user can interact with the application via a web client, such as a browser,
|
|
and is required to authenticate for all sensitive operations. To not only know
|
|
\emph{who} the user is but also make sure they are \emph{permitted} to perform
|
|
the action they are attempting, the program employs an \emph{authorisation}
|
|
mechanism in the form of sessions. These are on the client side represented by
|
|
cryptographically signed and encrypted (using 256-bit AES) HTTP cookies. That
|
|
lays foundations for a few things: the data saved into the cookies can be
|
|
regarded as private because short of future \emph{quantum computers} only the
|
|
program itself can decrypt and access the data, and the data can be trusted
|
|
since it is both signed using the key that only the program controls and
|
|
\emph{encrypted} with \emph{another} key that equally only the program holds.
|
|
|
|
The cookie data is only ever written \emph{or} read at the server side,
|
|
solidifying the authors decision to let it be encrypted, as there is no point
|
|
in not encrypting it for some perceived client-side simplification. Users
|
|
navigating the website send their session cookie (if it exists) with
|
|
\textbf{every request} to the server, which subsequently verifies the integrity
|
|
of the data and in case it is valid, determines the existence and potential
|
|
amount of user privilege that should be granted. Public endpoints do not
|
|
mandate the presence of a valid session by definition, while at protected
|
|
endpoints the user is authenticated at every request. When a session expires or
|
|
if there is no session to begin with, the user is either shown a \emph{Not
|
|
found} error message, the \emph{Unauthorised} error message or redirected to
|
|
\texttt{/signin}, depending on the endpoint or resource, as can be seen, this
|
|
behaviour is not uniform and depends on the resource and/or the endpoint.
|
|
|
|
Another aspect that contributes to data integrity from \emph{another} point of
|
|
view is utilising database \emph{transactions} for bundling together multiple
|
|
database operations that collectively change the \emph{state}. Using the
|
|
transactional jargon, the data is only \emph{committed} if each individual
|
|
change was successful. In case of any errors, the database is instructed to
|
|
perform an atomic \emph{rollback}, which brings it back to a state before the
|
|
changes were ever attempted.
|
|
|
|
The author has additionally considered the thought of utilising an embedded
|
|
immutable database like immudb (\url{https://immudb.io}) for record keeping
|
|
(verifiably storing data change history) and additional data integrity checks,
|
|
e.g.\ for tamper protection purposes and similar; however, that work remains
|
|
yet to be materialised.
|
|
|
|
|
|
\n{2}{Database schema}\label{sec:dbschema}
|
|
|
|
The database schema is not being created by manually typing out SQL statements.
|
|
Instead, an Object-relational Mapping (ORM) tool named \texttt{ent} is used,
|
|
which allows defining the table schema and relations entirely in Go. The upside
|
|
of this approach is that the \emph{entity} types are natively understood by
|
|
code editors, and they also get type-checked by the compiler for correctness,
|
|
preventing all sorts of headaches and potential bugs.
|
|
|
|
Since \texttt{ent} encourages the usage of \emph{declarative migrations} at
|
|
early stages of the project, it is not required for the database schema to
|
|
exist on application start-up in form of raw SQL (or HCL). Instead,
|
|
\texttt{ent} only requires a valid connection string providing reasonably
|
|
privileged access to the database and it handlers the database configuration by
|
|
auto-generating SQL with the help of the companion embedded library
|
|
\texttt{Atlas} (\url{https://atlasgo.io/}). The upstream project (\texttt{ent})
|
|
encourages moving to otherwise more traditional \emph{versioned migrations} for
|
|
more mature projects, so that is on the roadmap for later.
|
|
|
|
The best part about using \texttt{ent} is that there is no need to define
|
|
supplemental methods on the models, as with \texttt{ent} these are meant to be
|
|
\emph{code generated} (in the older sense of word, not with Large Language
|
|
Models) into existence. Code generation creates files with actual Go models
|
|
based on the types of the attributes in the database schema model, and the
|
|
respective relations are transformed into methods on the receiver or functions
|
|
taking object attributes as arguments.
|
|
|
|
For instance, if the model's attribute is a string value \texttt{Email}, ent
|
|
can be used to generate code that contains methods on the user object like the
|
|
following:
|
|
|
|
\begin{itemize}
|
|
\item \texttt{EmailIn(pattern string)}
|
|
\item \texttt{EmailEQ(email string)}
|
|
\item \texttt{EmailNEQ(email string)}
|
|
\item \texttt{EmailHasSuffix(suffix string)}
|
|
\end{itemize}
|
|
|
|
These methods can further be imported into other packages and this makes
|
|
working with the database a morning breeze.
|
|
|
|
All the database \empg{entity} IDs were declared as type \texttt{UUID}
|
|
(\emph{universally unique ID, theoretically across space and time}), contrary
|
|
to the more traditional \emph{integer} IDs.
|
|
|
|
Support for \texttt{UUID}s was provided natively by the supported databases and
|
|
in Go via a popular and vetted open-source library
|
|
(\url{github.com/google/uuid}). Among the upsides of using \texttt{UUID}s over
|
|
integer IDs is that there is no need to manually increment the ID. But more
|
|
importantly, there is also the fact that compared to 32-bit\footnotemark{}
|
|
signed integers the \texttt{UUID} is a somewhat randomly generated 16 byte (128
|
|
bit) array, reducing chances of collision.
|
|
|
|
Barring higher chances of preventing conflicts during imports of foreign
|
|
databases, this design decision might not provide any advantage for the current
|
|
system \emph{at the moment}. It could, however, hold importance in the future,
|
|
should the database ever be deployed in a replicated, high-availability (HA)
|
|
manner with more than one concurrent \emph{writer} (replicated application
|
|
instances).
|
|
|
|
\footnotetext{In Go, integer size is architecture dependent, see
|
|
\url{https://go.dev/ref/spec#Numeric_types}}
|
|
|
|
The relations between entities as modelled with \texttt{ent} can be imagined as
|
|
the edges connecting the nodes of a directed \emph{graph}, with the nodes
|
|
representing the entities. This conceptualisation lends itself for a more
|
|
human-friendly querying language, where the directionality can be expressed
|
|
with words describing ownership
|
|
|
|
|
|
|
|
\n{1}{Deployment}
|
|
|
|
\textbf{TODO}: mention how \texttt{systemd} aids in running the pod.\\
|
|
\\
|
|
A deployment setup as suggested in Section~\ref{sec:deploymentRecommendations}
|
|
is already partially covered by the multi-stage \texttt{Containerfile} that is
|
|
available in the main sources. Once built, the resulting container image only
|
|
contains a handful of things it absolutely needs:
|
|
|
|
\begin{itemize}
|
|
\item a statically linked copy of the program (contains parts of the Go
|
|
stdlib)
|
|
\item a default configuration file and corresponding Dhall expressions cached
|
|
at build time
|
|
\item a recent CA certs bundle
|
|
\end{itemize}
|
|
|
|
Since the program also needs a database for proper functioning, an example
|
|
scenario includes the application container being run in a Podman \textbf{pod}
|
|
(as in a pea pod or pod of whales) together with the database. That results in
|
|
not having to expose the database to the entire host or out of the pod at all,
|
|
it is only available over pod's \texttt{localhost}. Hopefully it goes without
|
|
saying that the default values of any configuration secrets should be
|
|
substituted by the application operator with new, securely generated ones.
|
|
|
|
|
|
\n{2}{Rootless Podman}
|
|
|
|
Assuming rootless Podman set up and the \texttt{just} tool installed on the
|
|
host, the application could be deployed by following a series of relatively
|
|
simple steps:
|
|
|
|
\begin{itemize}
|
|
\item build (or pull) the application container image
|
|
\item create a pod with user namespacing, exposing the application port
|
|
\item run the database container inside the pod
|
|
\item run the application inside the pod
|
|
\end{itemize}
|
|
|
|
In concrete terms, it would resemble something along the lines of
|
|
Listing~\ref{podmanDeployment}. Do note that all the commands are executed
|
|
under the unprivileged \texttt{user@containerHost} that is running rootless
|
|
Podman, i.e.\ it has \texttt{UID}/\texttt{GID} mapping entries in
|
|
\texttt{/etc/setuid} and \texttt{\etc/setgid} files \textbf{prior} to running any
|
|
Podman commands.
|
|
|
|
% \newpage
|
|
\begin{lstlisting}[language=bash, caption={Example application deployment using
|
|
rootless Podman},
|
|
label=podmanDeployment, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg}, commentcolor=\color{Gray},
|
|
morekeywords={mkdir,podman,just},
|
|
]
|
|
# From inside the project folder, build the image locally using kaniko.
|
|
just kaniko
|
|
|
|
# Create a pod, limit the amount of memory/CPU available to its containers.
|
|
podman pod create --replace --name pcmt \
|
|
--memory=100m --cpus=2 \
|
|
--userns=keep-id -p3005:3000
|
|
|
|
# Create the database folder and run the database in the pod.
|
|
mkdir -pv ./tmp/db
|
|
podman run --pod pcmt --replace -d --name "pcmt-pg" --rm \
|
|
-e POSTGRES_INITDB_ARGS="--auth-host=scram-sha-256 \
|
|
--auth-local=scram-sha-256" \
|
|
-e POSTGRES_PASSWORD=postgres \
|
|
-v $PWD/tmp/db:/var/lib/postgresql/data:Z \
|
|
--health-cmd "sh -c 'pg_isready -U postgres -d postgres'" \
|
|
--health-on-failure kill \
|
|
--health-retries 3 \
|
|
--health-interval 10s \
|
|
--health-timeout 1s \
|
|
--health-start-period=5s \
|
|
docker.io/library/postgres:15.2-alpine3.17
|
|
|
|
# Run the application itself in the pod.
|
|
podman run --pod pcmt --replace --name pcmt-og -d --rm \
|
|
-e PCMT_LIVE=False \
|
|
-e PCMT_DBTYPE="postgres" \
|
|
-e PCMT_CONNSTRING="host=pcmt-pg port=5432 sslmode=disable \
|
|
user=postgres dbname=postgres password=postgres"
|
|
-v $PWD/config.dhall:/config.dhall:Z,ro \
|
|
docker.io/immawanderer/pcmt:testbuild -config /config.dhall
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
To summarise Listing~\ref{podmanDeployment}, first the application container
|
|
is built from inside the project folder using \texttt{kaniko}. Alternatively,
|
|
the container image could be pulled from a container repository, but it makes
|
|
more sense showing the image being built from sources with the listing
|
|
depicting a \texttt{:testbuild} tag being used.
|
|
|
|
Next, a \emph{pod} is created and given a name, setting the port binding for
|
|
the application. Then, the database container is started inside the pod,
|
|
configured with a healthchecking mechanism.
|
|
|
|
As a final step, the application container itself is run inside the pod. The
|
|
application configuration named \texttt{config.dhall} located in \texttt{\$PWD}
|
|
is mounted as a volume into container's \texttt{/config.dhall}, providing the
|
|
application with a default configuration. The default container does contain a
|
|
default configuration for reference, however, running the container without
|
|
additionally providing the necessary secrets would fail.
|
|
|
|
\n{3}{Sanity checks}
|
|
|
|
Also do note that the application connects to the database using its
|
|
\emph{container} name, i.e.\ not the IP address. This is possible thanks to
|
|
Podman setting up DNS resolution inside pods using default networks in such a
|
|
way that all containers in the pod can reach each other using their (container)
|
|
names.
|
|
|
|
Interestingly, connecting via \texttt{localhost} from containers inside the pod
|
|
would also work. Inside the pod, any container in the pod can reach any other
|
|
container in the same pod via \emph{pod's} own \texttt{localhost}, thanks to a
|
|
shared network name space~\cite{podmanNet}.
|
|
|
|
In fact, \emph{pinging} (sending ICMP packets using the \texttt{ping} command)
|
|
the database and application containers from an ad-hoc Alpine Linux container
|
|
that just joined the pod temporarily yields:
|
|
|
|
\vspace{\parskip}
|
|
\begin{lstlisting}[language=bash, caption={Pinging pod containers using their
|
|
names}, label=podmanPing, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
morekeywords={podman,ping}
|
|
]
|
|
user@containerHost % podman run --rm -it \
|
|
--user=0 \
|
|
--pod=pcmt \
|
|
docker.io/library/alpine:3.18
|
|
/ % ping -c2 pcmt-og
|
|
PING pcmt-og (127.0.0.1): 56 data bytes
|
|
64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.072 ms
|
|
64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.118 ms
|
|
|
|
--- pcmt-og ping statistics ---
|
|
2 packets transmitted, 2 packets received, 0% packet loss
|
|
round-trip min/avg/max = 0.072/0.095/0.118 ms
|
|
/ % ping -c2 pcmt-pg
|
|
PING pcmt-pg (127.0.0.1): 56 data bytes
|
|
64 bytes from 127.0.0.1: seq=0 ttl=42 time=0.045 ms
|
|
64 bytes from 127.0.0.1: seq=1 ttl=42 time=0.077 ms
|
|
|
|
--- pcmt-pg ping statistics ---
|
|
2 packets transmitted, 2 packets received, 0% packet loss
|
|
round-trip min/avg/max = 0.045/0.061/0.077 ms
|
|
/ %
|
|
\end{lstlisting}
|
|
|
|
Was the application deployed in a traditional manner instead of using Podman,
|
|
the use of FQDNs or IPs would be probably be necessary, as there would be no
|
|
magic resolution of container names happening transparently in the background.
|
|
|
|
\n{3}{Database isolation from the host}
|
|
|
|
A keen observer has undoubtedly noticed that the pod constructed in
|
|
Listing~\ref{podmanDeployment} did only create the binding for a port used by
|
|
the application (\texttt{5005/tcp}). The Postgres default port
|
|
\texttt{5432/tcp} is not among pod's port bindings, as can be seen in the pod
|
|
creation command in the said listing. This can also easily be verified using
|
|
the command in Listing~\ref{podmanPortBindings}:
|
|
|
|
\begin{lstlisting}[language=bash, caption={Podman pod port binding inspection},
|
|
label=podmanPortBindings, basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
morekeywords={podman},
|
|
]
|
|
user@containerHost % podman pod inspect pcmt \
|
|
--format="Port bindings: {{.InfraConfig.PortBindings}}\n\
|
|
Host network: {{.InfraConfig.HostNetwork}}"
|
|
Port bindings: map[3000/tcp:[{ 5005}]]
|
|
Host network: false
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
To be absolutely sure that the database is available only internally in the pod
|
|
(unless, of course, there is another process listening on the subject port),
|
|
and that connecting to the database from outside the pod (i.e. from the
|
|
container host) really \emph{does} fail, the following commands can be issued:
|
|
|
|
\begin{lstlisting}[language=bash, caption={In-pod database is unreachable from
|
|
the host}, breaklines=true, label=podDbUnreachable,
|
|
basicstyle=\linespread{0.9}\small\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
]
|
|
user@containerHost % curl localhost:5432
|
|
--> curl: (7) Failed to connect to localhost port 5432 after 0 ms: Couldn't connect to server
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
The error in Listing~\ref{podDbUnreachable} is indeed expected, as it is the
|
|
result of the database port not been exposed from the pod.
|
|
|
|
Of course, since a volume (essentially a bind mount) from the host is used, the
|
|
actual data is still accessible on the host, both to privileged users and the
|
|
user running the pod. On the host with SELinux support, the \texttt{:Z} volume
|
|
addendum at least ensures that the content of the volume is directly
|
|
inaccessible to other containers, including the application container running
|
|
inside the same pod, via SELinux labelling.
|
|
|
|
\n{3}{Health checks}
|
|
|
|
Running the containers with health checks can be counted among the few crucial
|
|
settings. That way
|
|
the container runtime can periodically \emph{check} that the application
|
|
running inside the container is behaving correctly and instructions can be
|
|
provided on what action should be taken, should the health of the application
|
|
evaluate unsatisfyingly. Furthermore, different sets of health checking
|
|
commands can be passed with Podman for start-up and runtime.
|
|
|
|
|
|
\n{2}{Reverse proxy configuration}
|
|
|
|
If the application is deployed behind a reverse proxy, such as NGINX, the
|
|
configuration snippet in Listing~\ref{nginxSnip} might apply. Do note how the
|
|
named upstream server \texttt{pcmt} references the port that was exposed from
|
|
the pod created in Listing~\ref{podmanDeployment}.
|
|
|
|
\begin{lstlisting}[caption={Example reverse proxy configuration snippet},
|
|
breaklines=true, label=nginxSnip, basicstyle=\linespread{0.9}\scriptsize\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
morekeywords={upstream,server,return,listen,server_name,add_header,access_log,error_log,location,proxy_pass,proxy_set_header,allow,include,more_set_headers,ssl_buffer_size,ssl_dhparam,ssl_certificate,ssl_certificate_key,http2},
|
|
]
|
|
upstream pcmt {
|
|
server 127.0.0.1:5005;
|
|
}
|
|
server {
|
|
return 301 https://<pcmt domain>$request_uri;
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name: <pcmt domain> www.<pcmt domain>;
|
|
return 404;
|
|
add_header Referrer-Policy "no-referrer, origin-when-cross-origin";
|
|
}
|
|
server {
|
|
server_name <pcmt domain>;
|
|
access_log /var/log/nginx/<pcmt domain>.access.log;
|
|
error_log /var/log/nginx/<pcmt domain>.error.log;
|
|
location / {
|
|
proxy_pass http://pcmt;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_forwarded_for;
|
|
}
|
|
location /robots.txt {
|
|
allow all;
|
|
add_header Content-Type "text/plain; charset=utf-8";
|
|
add_header X-Robots-Tag "all, noarchive, notranslate";
|
|
return 200 "User-agent: *\nDisallow: /";
|
|
}
|
|
include sec-headers.conf;
|
|
|
|
add_header X-Real-IP $remote_addr;
|
|
add_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
add_header X-Forwarded-Proto $scheme;
|
|
more_set_headers 'Early-Data: $ssl_early_data';
|
|
|
|
listen [::]:443 ssl http2;
|
|
listen 443 ssl http2;
|
|
ssl_certificate /etc/letsencrypt/live/<pcmt domain>/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/<pcmt domain>/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
|
|
# reduce TTFB
|
|
ssl_buffer_size 4k;
|
|
}
|
|
\end{lstlisting}
|
|
\vspace*{-\baselineskip}
|
|
|
|
The snippet describes how traffic arriving at port \texttt{80/tcp} (IPv4 or
|
|
IPv6) that matches the domain name(s) \texttt{\{www.,\}<pcmt domain>}
|
|
(\texttt{<pcmt domain>} being the domain name that the program was configured
|
|
with, including appropriate DNS records) gets 301-redirected to the same
|
|
location (\texttt{\$request\_uri}), only over \texttt{HTTPS}. If the server
|
|
name does not match, a 404 is returned instead. In the main location block, all
|
|
traffic except for \texttt{/robots.txt} is forwarded to the named backend, with
|
|
headers added on top by the proxy in order to label the incoming requests as
|
|
\emph{not} originating at the proxy. The \emph{robots} route is treated
|
|
specially, immediately returning a directive that disallows crawling of any
|
|
resource on the page for all. The proxy is also instructed to log access and
|
|
error events to specific log files, finally load the domain's TLS certificates
|
|
(obtained out of band), reduce the \texttt{ssl\_buffer\_size} and listen on
|
|
port \texttt{443/tcp} (dual stack).
|
|
|
|
|
|
\n{1}{Validation}
|
|
|
|
\n{2}{Unit tests}
|
|
|
|
Unit testing is a hot topic for many people and the author does not count
|
|
himself to be a staunch supporter of neither extreme. The ``no unit tests''
|
|
opinion seems to discount any benefit there is to unit testing, while a
|
|
``TDD-only''\footnotemark{} approach can be a little too much for some people's
|
|
taste. The author tends to prefer a \emph{middle ground} approach in this
|
|
particular case, i.e. writing enough tests where meaningful but not necessarily
|
|
testing everything or writing tests prior to business logic code. Arguably,
|
|
following the practice of TDD should result in writing a \emph{better designed}
|
|
code, particularly because there needs to be a prior thought about the shape
|
|
and function of the code, as it is tested for before it is even written, but it
|
|
adds a slight inconvenience to what is otherwise a straightforward process.
|
|
|
|
Thanks to Go's built in support for testing via its \texttt{testing} package
|
|
and the tooling in the \texttt{go} tool, writing tests is relatively simple. Go
|
|
looks for files in the form \texttt{<filename>\_test.go} in the present working
|
|
directory but can be instructed to look for test files in packages recursively
|
|
found on any path using the ellipsis, like so: \texttt{go test
|
|
./path/to/package/\ldots}, which then \emph{runs} all the tests found, and
|
|
reports some statistics, such as the time it took to run the test or whether it
|
|
succeeded or failed. To be precise, the test files also need to contain test
|
|
functions, which are functions with the signature \texttt{func TestWhatever(t
|
|
*testing.T)\{\}} and where the function prefix ``Test'' is just as important as
|
|
the signature. Without it, the function is not considered to be a testing
|
|
function despite having the required signature and is therefore \emph{not}
|
|
executed during testing.
|
|
|
|
This test lookup behaviour; however, also has a neat side effect: all the test
|
|
files can be kept side-by-side their regular source counterparts, there is no
|
|
need to segregate them into a specially blessed \texttt{tests} folder or
|
|
similar, which in author's opinion improves readability. As a failsafe, in case
|
|
no actual test are found, the current behaviour of the tool is to print a note
|
|
informing the developer that no tests were found, which is handy to learn if it
|
|
was not intended/expected. When compiling regular source code, the Go files
|
|
with \texttt{\_test} in the name are simply ignored by the build tool.
|
|
|
|
\footnotetext{TDD, or Test Driven Development, is a development methodology
|
|
whereby tests are written \emph{first}, then a complementary piece of code
|
|
that is supposed to be tested is added, just enough to get past the compile
|
|
errors and to see the test \emph{fail} and then is the code finally
|
|
refactored to make the test \emph{pass}. The code can then be fearlessly
|
|
extended because the test is the safety net catching the programmer when the
|
|
mind slips and alters the originally intended behaviour of the code.}
|
|
|
|
|
|
\n{2}{Integration tests}
|
|
|
|
Integrating with external software, namely the database in case of this
|
|
program, is designed to utilise the same mechanism that was mentioned in the
|
|
previous section: Go's \texttt{testing} package. These tests verify that the
|
|
code changes can still perform the same actions with the external software that
|
|
were possible before the change and are run before every commit locally and
|
|
then after pushing to remote in the CI.
|
|
|
|
\n{3}{func TestUserExists(t *testing.T)}
|
|
|
|
In the integration test shown in Listing~\ref{integrationtest}, it is prefaced
|
|
at line 10 by declaring a helper function \texttt{getCtx() context.Context},
|
|
which takes no arguments and returns a new\\ \texttt{context.Context}
|
|
initialised with the value of the global logger. As previously mentioned, that
|
|
is how the logger gets injected into the user module functions. The actual test
|
|
function with the signature \texttt{TestUserExists(t *testing.T)} defines a
|
|
database connection string at line 21 and attempts to open a connection to the
|
|
database. The database in use here is SQLite3 running in memory mode, meaning
|
|
no file is actually written to disk during this process. Since the testing data
|
|
is not needed after the test, this is desirable. Next, a defer statement calls
|
|
the \texttt{Close()} method on the database object, which is the Go idiomatic
|
|
way of closing files and network connections (which are also an abstraction
|
|
over files on UNIX-like operating systems such as GNU/Linux). Contrary to where
|
|
it is declared, the \emph{defer} statement is only called after all the
|
|
statements in the surrounding function, which makes sure no file descriptors
|
|
(FDs) are leaked and the file is properly closed when the function returns.
|
|
|
|
In the next step at line 25 a database schema creation is attempted, handling
|
|
the potential error in a Go idiomatic way, which uses the return value from the
|
|
function in an assignment to a variable declared in the \texttt{if} statement,
|
|
and checks whether the \texttt{err} was \texttt{nil} or not. In case the
|
|
\texttt{err} was not \texttt{nil}, i.e.\ \emph{there was an error in the callee
|
|
function}, the condition evaluates to \texttt{true}, which is followed by
|
|
entering the inner block. Inside it, the error is announced to the user (likely
|
|
a developer running the test in this case) and the testing object's
|
|
\texttt{FailNow()} method is called. That marks the test function as having
|
|
failed, and thus stops its execution. In this case, that is the desired
|
|
outcome, since if the database schema creation call fails, there really is no
|
|
point in continuing the testing of user creation.
|
|
\\
|
|
Conversely, if the schema \emph{does} get created without an error, the code
|
|
continues to declare a few variables (lines 30-32): \texttt{username},
|
|
\texttt{email} and \texttt{ctx}, where the context injected with the logger is
|
|
saved. Two of them are subsequently (line 33) passed into the
|
|
\texttt{UsernameExists} function, \texttt{ctx} being the first argument and the
|
|
database pointer and \texttt{username} following, while the \texttt{email}
|
|
variable is only used at a later stage (line 46). The point of declaring them
|
|
together is to give a sense of relatedness. The error value returned from this
|
|
function is again checked (line 33) and if everything goes well, the
|
|
\texttt{usernameFound} boolean value is checked next at line 38.
|
|
|
|
\smallskip
|
|
\smallskip
|
|
\begin{lstlisting}[language=Go, caption={User existence integration test},
|
|
label=integrationtest,basicstyle=\linespread{0.9}\scriptsize\ttfamily,
|
|
backgroundcolor=\color{lstbg},
|
|
numbers=left,
|
|
numberstyle=\linespread{0.9}\scriptsize\ttfamily,
|
|
frame=l,
|
|
framesep=18.5pt,
|
|
framerule=0.1pt,
|
|
xleftmargin=18.7pt,
|
|
otherkeywords={\%s, \%q, \%v},
|
|
]
|
|
// modules/user/user_test.go
|
|
package user
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
"git.dotya.ml/mirre-mt/pcmt/ent/enttest"
|
|
"git.dotya.ml/mirre-mt/pcmt/slogging"
|
|
_ "github.com/xiaoqidun/entps"
|
|
)
|
|
|
|
func getCtx() context.Context {
|
|
l := slogging.Init(false)
|
|
ctx := context.WithValue(context.Background(), CtxKey{}, l)
|
|
return ctx
|
|
}
|
|
|
|
func TestUserExists(t *testing.T) {
|
|
connstr := "file:ent_tests?mode=memory&_fk=1"
|
|
db := enttest.Open(t, "sqlite3", connstr)
|
|
defer db.Close()
|
|
|
|
if err := db.Schema.Create(context.Background()); err != nil {
|
|
t.Errorf("failed to create schema resources: %v", err)
|
|
t.FailNow()
|
|
}
|
|
|
|
username := "dude"
|
|
email := "dude@b.cc"
|
|
ctx := getCtx()
|
|
|
|
usernameFound, err := UsernameExists(ctx, db, username)
|
|
if err != nil {
|
|
t.Errorf("error checking for username {%s} existence: %q", username, err)
|
|
}
|
|
|
|
if usernameFound {
|
|
t.Errorf("unexpected: user{%s} should not have been found", username)
|
|
}
|
|
|
|
if _, err := EmailExists(ctx, db, email); err != nil {
|
|
t.Errorf("unexpected: user email '%s' should not have been found", email)
|
|
}
|
|
|
|
usr, err := CreateUser(ctx, db, email, username, "so strong")
|
|
if err != nil {
|
|
t.Errorf("failed to create user, error: %q", err)
|
|
t.FailNow()
|
|
} else if usr == nil {
|
|
t.Error("got nil usr back")
|
|
t.FailNow()
|
|
}
|
|
|
|
if usr.Username != username {
|
|
t.Errorf("got back wrong username, want: %s, got: %s",
|
|
username, usr.Username,
|
|
)
|
|
} // ...more checks...
|
|
}
|
|
\end{lstlisting}
|
|
|
|
Since the database has just been created, there should be no users, which is
|
|
checked in the body of the \texttt{if} statement (line 35). The same check is
|
|
then performed using an email (line 42), which is also correctly expected to
|
|
fail.
|
|
|
|
The final statements of the described test attempts to create a user by calling
|
|
the function \texttt{CreateUser(...)} at line 46, whose return values are again
|
|
checked for both error and \emph{nillability}, respectively. The test continues
|
|
with more of the checks similar to what has been described so far, but the rest
|
|
was omitted for brevity.
|
|
|
|
As was just demonstrated in the test, a neat thing about error handling in Go
|
|
is that it allows for very easy checking of all code paths, not just the
|
|
\emph{happy path} where there are no issues. The recommended approach of
|
|
immediately explicitly handling (or deciding to ignore) the error is in
|
|
author's view superior to wrapping hundreds of lines in \texttt{try} blocks and
|
|
then \emph{catching} (or not) \emph{all the} exceptions, as is the practice in
|
|
some other languages.
|
|
|
|
|
|
\n{2}{Test environment}
|
|
|
|
The application has been deployed in a test environment on author's modest
|
|
Virtual Private Server (VPS) at \texttt{https://testpcmt.dotya.ml}, protected
|
|
by \emph{Let's Encrypt}\allowbreak issued, short-lived, ECDSA
|
|
\texttt{secp384r1} curve TLS certificate, and configured with strict CSP. It is
|
|
a test instance; therefore limits (and rate-limits) to prevent abuse might be
|
|
imposed.
|
|
\\
|
|
The test environment makes the program available over both modern IPv6 and
|
|
legacy IPv4 protocols, to maximise accessibility. Redirects have been set up
|
|
from plain HTTP to HTTPS, as well as from \texttt{www} to non-\texttt{www}
|
|
domain. The subject domain configuration has been hardened with a \texttt{CAA}
|
|
record limiting certificate authorities (CAs) that are able to issue TLS
|
|
certificates for it (and let them be trusted by validating clients).
|
|
Additionally, the main domain (\texttt{dotya.ml}) had enabled \textit{HTTP
|
|
Strict Transport Security} (HSTS) including the subdomains quite some time ago
|
|
(consult the preload lists in Firefox/Chrome), which mandates that clients
|
|
speaking HTTP only connect to it (and the subdomains) using TLS.
|
|
|
|
The whole deployment has been orchestrated using an Ansible\footnotemark{}
|
|
playbook created for this occasion, with the aim to have the whole deployment
|
|
process reliably automated, focusing on idempotence. At the same time, it is
|
|
now described reasonably well in the code. Its code is available at
|
|
\url{https://git.dotya.ml/mirre-mt/ansible-pcmt.git}.
|
|
|
|
\footnotetext{A Nix-ops approach was also considered, however, Ansible was
|
|
deemed more suitable since the existing host runs Arch.}
|
|
|
|
|
|
\n{3}{Deployment validation}
|
|
|
|
% TODO: show the results of testing the app in prod using:
|
|
% \url{https://testssl.sh/} and
|
|
% \url{https://gtmetrix.com/reports/testpcmt.dotya.ml/}.
|
|
|
|
The deployed application has been validated using the \textit{Security Headers}
|
|
tool (see \url{https://securityheaders.com/?q=https%3A%2F%2Ftestpcmt.dotya.ml}),
|
|
the results of which can be seen in Figure~\ref{fig:secheaders}.
|
|
|
|
It can be seen that the application sets the \texttt{Cross Origin Opener
|
|
Policy} to \texttt{same-origin}, which isolates the browsing context
|
|
exclusively to \textit{same-origin} documents, preventing \textit{cross-origin}
|
|
documents from loading in the same browser context.
|
|
|
|
\obr{Security Headers scan}{fig:secheaders}{.89}{graphics/screen-securityHeaders}
|
|
|
|
Furthermore, a \texttt{Content Security Policy} of
|
|
\texttt{upgrade-insecure-requests; default-src 'none'; manifest-src 'self';
|
|
font-src 'self'; img-src 'self' https://*; script-src 'self'; style-src 'self';
|
|
object-src 'self'; form-action 'self'; frame-ancestors'self'; base-uri 'self'}
|
|
is set by the program using a header.
|
|
This policy essentially pronounces the application (whatever domain it happens
|
|
to be hosted at - \texttt{'self'}) as the only \textit{permissible} source for
|
|
any scripts, styles and frames, the only destination of web forms. One
|
|
exception is the \texttt{image-src 'self' https://*} directive, which more
|
|
leniently also permits images from any \textit{secure} sources. This measure
|
|
ensures that no unvetted content is ever loaded from elsewhere.
|
|
|
|
Also, the \texttt{Referrer-Policy} header setting of \texttt{no-referrer,
|
|
strict-origin-when-cross-origin} ensures that user tracking is reduced, since
|
|
no referrer is included (the \texttt{Referer} header is omitted), should the
|
|
user navigate away from the site or somehow send requests outside the
|
|
application using another means. The \texttt{Permissions-Policy} set to
|
|
\texttt{geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(),
|
|
gyroscope=(), magnetometer=(), fullscreen=(self), payment=()} declares that the
|
|
application is, for instance, never going to request access to payment
|
|
information, user microphone or camera devices, or geolocation.
|
|
|
|
\texttt{gobuster} was used in fuzzing mode to aid in uncovering potential
|
|
application misconfigurations. The wordlists used include:
|
|
|
|
\begin{itemize}
|
|
\item Anton Lopanitsyn's \texttt{fuzz.txt} (\url{https://github.com/Bo0oM/fuzz.txt/tree/master})
|
|
\item Daniel Miessler's \texttt{SecLists} (\url{https://github.com/danielmiessler/SecLists})
|
|
\item Sam's \texttt{samlists} (\url{https://github.com/the-xentropy/samlists})
|
|
\end{itemize}
|
|
|
|
The logs of the fuzzing operations are enclosed as
|
|
Appendix~\ref{appendix:gobusterFuzzingLogs}.
|
|
|
|
The results of scanning the deployed application using Quallys' \textit{SSL
|
|
Labs} scanner can be seen in the picture~\ref{fig:ssllabs}, confirming that
|
|
HSTS is deployed (including for the subdomains), the server supports TLS 1.3,
|
|
the DNS Certificate Authority Authorisation (CAA) has been configured for the
|
|
domain, with the overall grade being A+.
|
|
|
|
\obr{Quallys SSL Labs}{fig:ssllabs}{.79}{graphics/screen-sslLabs}
|
|
|
|
|
|
|
|
\n{1}{Application screenshots}
|
|
|
|
Figure~\ref{fig:homepage} depicts the initial page that a logged-out user is
|
|
greeted with when they load the application.
|
|
|
|
\obr{Homepage}{fig:homepage}{.84}{graphics/screen-homepage}
|
|
|
|
Figure~\ref{fig:signup} can be seen showing a registration page with input
|
|
fields turned green after basic validation. Visiting this page with
|
|
registration disabled in settings would yield a 404.
|
|
|
|
\obr{Registration page}{fig:signup}{.65}{graphics/screen-signup}
|
|
|
|
\newpage
|
|
|
|
\obr{Registration page email
|
|
error}{fig:signupEmailError}{.54}{graphics/screen-signup-emailError}
|
|
|
|
A sign-up form error telling the user to provide a valid email address is shown
|
|
in Figure~\ref{fig:signupEmailError}.
|
|
|
|
|
|
\obr{Sign-in page}{fig:signin}{.55}{graphics/screen-signin}
|
|
|
|
Figure~\ref{fig:signin} depicts a sign-in form similar to the sign-up one.
|
|
|
|
\obr{Short password error on
|
|
sign-in}{fig:signinShortPasswd}{.55}{graphics/screen-signin-shortPasswordError}
|
|
|
|
An error in Figure~\ref{fig:signinShortPasswd} prompts the user to lengthen the
|
|
content of the password field from 3 to at least 20 characters.
|
|
|
|
\newpage
|
|
|
|
\obr{Admin homepage}
|
|
{fig:adminHome}{.25}
|
|
{graphics/screen-adminHome}
|
|
|
|
Figure~\ref{fig:adminHome} displays a simple greeting and a logout button.
|
|
|
|
\obr{User management screen}
|
|
{fig:adminUserManagement}{.85}
|
|
{graphics/screen-adminUserManagement}
|
|
|
|
Figure~\ref{fig:adminUserManagement} shows the user management screen, which
|
|
provides links to view user details page, start creating a new user.
|
|
|
|
% \obr{User creation screen}
|
|
% {fig:adminUserCreate}{.35}
|
|
% {graphics/screen-adminUserCreate}
|
|
|
|
\obr{User creation: `username not unique' error}
|
|
{fig:adminUserCreateErrorUsernameNotUnique}{.65}
|
|
{graphics/screen-adminUserCreateErrorUsernameNotUnique}
|
|
|
|
User creation form can be seen in
|
|
Figure~\ref{fig:adminUserCreateErrorUsernameNotUnique}. Both regular and admin
|
|
level users can be created here. In this case, an error is shown, telling the
|
|
user there is an issue with username uniqueness. User experience of this
|
|
process could in the future be improved by using a bit of JavaScript (or
|
|
WebAssembly) to check uniqueness of the username on user's \emph{key-up}.
|
|
|
|
\newpage
|
|
|
|
\obr{Creation of user `demo'}
|
|
{fig:adminUserCreateDemo}{.75}
|
|
{graphics/screen-adminUserCreateDemo}
|
|
|
|
The user management screen is again shown in
|
|
Figure~\ref{fig:adminUserCreateDemo} after user `demo' was created. An
|
|
informative \emph{flash} message is printed near the top of the page
|
|
immediately after the action and not shown on subsequent page loads.
|
|
|
|
|
|
\obr{User details screen}
|
|
{fig:adminUserDetail}{.65}
|
|
{graphics/screen-adminUserDetail}
|
|
|
|
The user details page is depicted in Figure~\ref{fig:adminUserDetail}. The
|
|
interface presents key information about the user such as ID, username and
|
|
admin status. Additionally, it provides a link back to the previous page and
|
|
two buttons: one for editing the user and one for user deletion.
|
|
|
|
\obr{User edit screen}
|
|
{fig:adminUserEdit}{.65}
|
|
{graphics/screen-adminUserEdit}
|
|
|
|
Figure~\ref{fig:adminUserEdit} shows the form for user editing with a button
|
|
`Update' in the bottom for submitting, a couple of checkboxes for toggling
|
|
`admin' and `active' state of the user. Above those, there are input fields for
|
|
`username', `email', `password' and the confirmation of the password.
|
|
|
|
\newpage
|
|
|
|
\obr{User deletion confirmation}
|
|
{fig:adminUserDeleteConfirm}{.55}
|
|
{graphics/screen-adminUserDeleteConfirmation}
|
|
|
|
When attempting to delete a user, the administrator is presented with the
|
|
screen shown in Figure~\ref{fig:adminUserDeleteConfirm}, which asks them
|
|
whether they are absolutely sure to perform an action with permanent
|
|
consequences. The `Confirm permanent deletion' button is highlighted in intense
|
|
red colour, while the `Cancel' button is displayed in a light blue tone. There
|
|
are two additional links: the `All users' one that points to the user
|
|
management page, and the `Back to detail' one that simply brings the
|
|
administrator one step back to the user details page.
|
|
|
|
\obr{User deletion post-hoc}
|
|
{fig:adminUserDeletePostHoc}{.55}
|
|
{graphics/screen-adminUserDemoDeletion}
|
|
|
|
After successful user deletion, the administrator is redirected back to user
|
|
management page and a flash message confirming the deletion is printed near the
|
|
top of the page, as shown in Figure~\ref{fig:adminUserDeletePostHoc}.
|
|
|
|
\newpage
|
|
|
|
\obr{Manage API keys}
|
|
{fig:manageAPIKeys}{.70}
|
|
{graphics/screen-manageAPIKeys}
|
|
|
|
Figure~\ref{fig:manageAPIKeys} shows a page that allows administrators to
|
|
manage instance-wide API keys for external services, such as \emph{Have I Been
|
|
Pwned?} or \emph{DeHashed.com}. Do note that these keys are never distributed
|
|
to clients in any way and are only ever used by the application itself to make
|
|
the requests on \emph{behalf} of the users.
|
|
|
|
\obr{Log-out message}
|
|
{fig:logout}{.27}
|
|
{graphics/screen-logout}
|
|
|
|
Figure~\ref{fig:logout} shows the message printed to users on logout.
|
|
|
|
\obr{Import of locally available breach data from the CLI}
|
|
{fig:localImport}{.75}
|
|
{graphics/screen-localImport}
|
|
|
|
Figure~\ref{fig:localImport} depicts how formatted breach data can be imported
|
|
into the program's database using the CLI.
|
|
|
|
|
|
|
|
|
|
% =========================================================================== %
|