TiagoRG
/
sio-2425
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix endpoint tables and ASVS outline 

Signed-off-by: Tiago Garcia <tiago.rgarcia@ua.pt>
This commit is contained in:
Tiago Garcia 2024-12-28 17:13:16 +00:00
parent e69c197805
commit 5a1857a636
Signed by: TiagoRG
GPG Key ID: DFCD48E3F420DB42
1 changed files with 132 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

232
delivery3/report.adoc
View File

@ -1,15 +1,16 @@
= SIO Project Report = SIO Project Report
Authors: Rúben Gomes (113435), João Bastos (113470), Tiago Garcia (114184) Authors: Rúben Gomes (113435), João Bastos (113470), Tiago Garcia (114184) | 30/12/2024
{authors} - {docdate}
:toc: macro :toc: macro
:toclevels: 2 :toclevels: 3
:doctype: article :doctype: article
:source-highlighter: highlightjs :source-highlighter: highlightjs
:icons: font :icons: font
:sectnums: :sectnums:
:sectlinks: :sectlinks:
:!last-update-label:
<<<
== Introduction == Introduction
@ -17,6 +18,8 @@ This document serves as the final report for the SIO-2425 project. This project
This report will cover the features implemented, the decisions made as a group, as well as results and conclusions of the project. This report will cover the features implemented, the decisions made as a group, as well as results and conclusions of the project.
<<<
== Features == Features
The features of the project are the ones present in the course project description, but with an extra feature, the possibility to reset the database of the server. This was shown to be useful for testing purposes, but it should be disabled/deleted in a production environment. The features of the project are the ones present in the course project description, but with an extra feature, the possibility to reset the database of the server. This was shown to be useful for testing purposes, but it should be disabled/deleted in a production environment.
@ -24,209 +27,218 @@ The features of the project are the ones present in the course project descripti
The API has a list of endpoints that require different permission levels to access. Mainly, it's divided into 3 categories: The API has a list of endpoints that require different permission levels to access. Mainly, it's divided into 3 categories:
* Anonymous: No authentication required. * <<_anonymous_endpoints,Anonymous>>: No authentication required.
* Authenticated: Authentication required. * <<_authenticated_endpoints,Authenticated>>: Authentication required.
* Authorized: Authentication and permissions required. * <<_authorized_endpoints,Authorized>>: Authentication and permissions required.
[[_anonymous_endpoints]]
=== Anonymous Endpoints === Anonymous Endpoints
[cols="1,1,1,1", options="header"] [cols="1,1,1,1", options="header"]
|=== |===
| Endpoint | Required headers | Required payload fields | Optional payload parameters | Endpoint | Required headers | Required payload fields | Optional payload parameters
| `GET /` → Returns a ping message. a| `GET /` → Returns a ping message.
| N/A | N/A
| N/A | N/A
| N/A | N/A
| `POST /reset` → Resets the database and deletes all data. a| `POST /reset` → Resets the database and deletes all data.
| `Content-Type: application/json` a| * `Content-Type: application/json`
a| * `password`: The reset password. *Note: The reset password is `123` (very secure!).* a| * `password`: The reset password. *Note: The reset password is `123` (very secure!).*
| N/A | N/A
| `GET /org/list` → Returns a list of all organizations. a| `GET /org/list` → Returns a list of all organizations.
| N/A | N/A
| N/A | N/A
| N/A | N/A
| `POST /org/create` → Creates a new organization. a| `POST /org/create` → Creates a new organization.
| `Content-Type: application/json` a| * `Content-Type: application/octet-stream`
a| * `name`: Organization name. a|
* `name`: Organization name.
* `username`: Manager username. * `username`: Manager username.
* `full_name`: Manager full name. * `full_name`: Manager full name.
* `email`: Manager email. * `email`: Manager email.
* `public_key`: Manager public key. * `public_key`: Manager public key.
| N/A | N/A
| `GET /file/get/<file_handle>/content` → Downloads the file content. a| `GET /file/get/<file_handle>/content` → Downloads the file content.
| N/A | N/A
| N/A | N/A
| N/A | N/A
| `POST /user/login` → Logs in a user. .2+a| `POST /user/login` → Logs in a user.
| `Content-Type: application/json` a| * `Content-Type: application/json`
a| * `org`: Organization name. a| * `org`: Organization name.
* `username`: User username. * `username`: User username.
* `password`: User password. | N/A
* `credentials_file`: User credentials file.
a| * `Content-Type: application/octet-stream`
* `Authorization: token`
a| * `signature`: Signature of the challenge using the private key.
| N/A | N/A
|=== |===
[[_authenticated_endpoints]]
=== Authenticated Endpoints === Authenticated Endpoints
[cols="1,1,1,1", options="header", source] [cols="1,1,1,1", options="header", source]
|=== |===
| Endpoint | Required headers | Required payload fields | Optional payload parameters | Endpoint | Required headers | Required payload fields | Optional payload parameters
| `GET /user/list` → Returns a list of all users a| `GET /user/list` → Returns a list of all users
| `Authorization: token` a| * `Content-Type: application/octet-stream`
* `Authorization: token`
| N/A | N/A
a| * `username`: Filter by username. a| * `username`: Filter by username.
| `GET /user/<username>/roles` → Returns a list of all roles of a user. a| `GET /user/<username>/roles` → Returns a list of all roles of a user.
| `Authorization: token` a| * `Authorization: token`
| N/A | N/A
| N/A | N/A
| `GET /file/list` → Returns a list of all files. a| `GET /file/list` → Returns a list of all files.
| `Authorization: token` a| * `Content-Type: application/octet-stream`
* `Authorization: token`
| N/A | N/A
a| a| * `username`: Filter by username.
* `username`: Filter by username.
* `datetime`: Filter by datetime. The datetime filter has the following fields: * `datetime`: Filter by datetime. The datetime filter has the following fields:
** `value`: Epoch time in seconds. ** `value`: Epoch time in seconds.
** `relation`: `ot` \| `eq` \| `nt`. (One of the following: older than, equal to, newer than) ** `relation`: `ot` \| `eq` \| `nt`. (One of the following: older than, equal to, newer than)
| `POST /user/logout` → Logs out a user. a| `POST /user/logout` → Logs out a user.
| `Authorization: token` a| * `Authorization: token`
| N/A | N/A
| N/A | N/A
| `POST /role/session/assume` → Assumes a role in the session. a| `POST /role/session/assume/<role>` → Assumes a role in the session.
| `Authorization: token` a| * `Authorization: token`
a| * `role`: Role name.
| N/A
| `POST /role/session/drop` → Drops a role from the session.
| `Authorization: token`
a| * `role`: Role name.
| N/A
| `GET /role/session/list` → Lists the roles for the session.
| `Authorization: token`
| N/A | N/A
| N/A | N/A
| `GET /role/<role>/list/users` → Lists the users for a role. a| `POST /role/session/drop/<role>` → Drops a role from the session.
| `Authorization: token` a| * `Authorization: token`
| N/A | N/A
| N/A | N/A
| `GET /role/<role>/list/perms` → Lists the permissions for a role. a| `GET /role/session/list` → Lists the roles for the session.
| `Authorization: token` a| * `Authorization: token`
| N/A | N/A
| N/A | N/A
| `GET /role/perm/<perm>/roles`: → Lists the roles with a permission. a| `GET /role/<role>/list/users` → Lists the users for a role.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A
a| `GET /role/<role>/list/perms` → Lists the permissions for a role.
a| * `Authorization: token`
| N/A
| N/A
a| `GET /role/perm/<perm>/roles`: → Lists the roles with a permission.
a| * `Authorization: token`
| N/A | N/A
| N/A | N/A
|=== |===
[[_authorized_endpoints]]
=== Authorized Endpoints === Authorized Endpoints
[cols="1,1,1,1", options="header", source] [cols="1,1,1,1", options="header", source]
|=== |===
| Endpoint | Required headers | Required payload fields | Optional payload parameters | Endpoint | Required headers | Required payload fields | Required permission
| `POST /user/create` → Creates a new user. | `POST /user/create` → Creates a new user.
a| * `Authorization: token` a| * `Content-Type: application/octet-stream`
* `Content-Type: application/json` * `Authorization: token`
a| * `username`: User's username. a| * `username`: User's username.
* `name`: User's name. * `name`: User's name.
* `email`: User's email. * `email`: User's email.
* `public_key`: User's public key. * `public_key`: User's public key.
| N/A | SUBJECT_NEW
| `POST /user/<username>/suspend` → Suspends a user. a| `POST /user/<username>/suspend` → Suspends a user.
| `Authorization: token`
| N/A
| N/A
| `POST /user/<username>/activate` → Activates a user.
| `Authorization: token`
| N/A
| N/A
| `POST /file/upload/metadata` → Uploads a file's metadata.
a| * `Authorization: token` a| * `Authorization: token`
* `Content-Type: application/json` | N/A
| SUBJECT_DOWN
a| `POST /user/<username>/activate` → Activates a user.
a| `Authorization: token`
| N/A
| SUBJECT_UP
a| `POST /file/upload/metadata` → Uploads a file's metadata.
a| * `Content-Type: application/octet-stream`
* `Authorization: token`
a| * `document_name`: Document name. a| * `document_name`: Document name.
* `key`: Document key. * `key`: Document key.
* `alg`: Document algorithm. * `alg`: Document algorithm.
| N/A | DOC_NEW
| `POST /file/upload/content` → Uploads a file's content. a| `POST /file/upload/content` → Uploads a file's content.
a| * `Authorization: token` a| * `Authorization: token`
* `Content-Type: multipart/form-data` * `Content-Type: multipart/form-data`
a| * `content`: File's content to upload. a| * file's content as request data
| N/A | DOC_NEW
| `GET /file/get/<document_handle>/metadata` → Downloads a file's metadata. a| `GET /file/get/<document_handle>/metadata` → Downloads a file's metadata.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| DOC_READ
| `POST /file/delete/<document_handle>` → Deletes a file. a| `POST /file/delete/<document_handle>` → Deletes a file.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| DOC_DELETE
| `POST /file/acl` → Updates the ACL of a file. a| `POST /file/acl` → Updates the ACL of a file.
| `Authorization: token` a| * `Content-Type: application/octet-stream`
* `Authorization: token`
a| * `document_handle`: Document handle. a| * `document_handle`: Document handle.
* `role`: Role name. * `role`: Role name.
* `perm`: Permission name. * `perm`: Permission name.
* `operation`: `add` \| `remove`. (One of the following: add, remove) * `operation`: `add` \| `remove`. (One of the following: add, remove)
| N/A | DOC_ACL
| `POST /role/create` → Creates a new role. a| `POST /role/create` → Creates a new role.
| `Authorization: token` a| * `Content-Type: application/octet-stream`
* `Authorization: token`
a| * `role`: Role name. a| * `role`: Role name.
| N/A | ROLE_NEW
| `POST /role/<role>/suspend` → Suspends a role. a| `POST /role/<role>/suspend` → Suspends a role.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| ROLE_DOWN
| `POST /role/<role>/activate` → Activates a role a| `POST /role/<role>/activate` → Activates a role
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| ROLE_UP
| `POST /role/<role>/user/add/<username>` → Adds a user to a role. a| `POST /role/<role>/user/add/<username>` → Adds a user to a role.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| ROLE_MOD
| `POST /role/<role>/user/remove/<username>` → Removes a user from a role. a| `POST /role/<role>/user/remove/<username>` → Removes a user from a role.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| ROLE_MOD
| `POST /role/<role>/perm/add/<perm>` → Adds a permission to a role. a| `POST /role/<role>/perm/add/<perm>` → Adds a permission to a role.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| ROLE_MOD
| `POST /role/<role>/perm/remove/<perm>` → Removes a permission from a role. a| `POST /role/<role>/perm/remove/<perm>` → Removes a permission from a role.
| `Authorization: token` a| * `Authorization: token`
| N/A
| N/A | N/A
| ROLE_MOD
|=== |===
@ -234,6 +246,26 @@ a| * `role`: Role name.
The methodology section will delineate the steps undertaken to achieve the project objectives, including the tools and technologies utilized, as well as any challenges encountered and the strategies employed to address them. The methodology section will delineate the steps undertaken to achieve the project objectives, including the tools and technologies utilized, as well as any challenges encountered and the strategies employed to address them.
== Analysis
For the analysis section, the project will be evaluated under the scope of the V3 (Session Management) chapter of the OWASP ASVS. This will include an assessment of the session management mechanisms implemented, as well as any vulnerabilities identified and possible mitigations.
=== Session Management
==== Fundamental Session Management Security
==== Session Binding
==== Session Termination
==== Cookie-based Session Management
==== Token-based Session Management
==== Federated Re-authentication
==== Defenses Against Session Management Exploits
== Results and Conclusions == Results and Conclusions
This section will present the outcomes of the project, including any data collected, analyses performed, and key findings. This section will present the outcomes of the project, including any data collected, analyses performed, and key findings.