71 lines
2.8 KiB
Markdown
71 lines
2.8 KiB
Markdown
# Project Guidelines
|
|
|
|
MCIAS is the metacircular identity and access system, providing identity and
|
|
authentication across the metacircular projects.
|
|
|
|
The Metacircular Identity and Access System (MCIAS) provides standard
|
|
tools for user and access management among metacircular and wntrmute
|
|
systems.
|
|
|
|
Build an authentication service written in Go that I can use with other
|
|
apps that I write.
|
|
|
|
## Specifications
|
|
|
|
- Applications should be able to either do an interactive login, using a
|
|
username/password (and potentially a TOTP), or present a token.
|
|
- Applications should be able to renew the token, which would nominally
|
|
expire after some period (defaulting to maybe 30 days).
|
|
- There are two kinds of users: human and system accounts.
|
|
- System accounts can only present a token; they have a single token
|
|
associated with that account at a time.
|
|
- User accounts have roles associated with them.
|
|
- Users with the admin role can issue tokens for any app, or users with
|
|
the role named the same as a service account can issue tokens for that
|
|
service account.
|
|
- Admin users can also revoke tokens for a service account.
|
|
- Service accounts (and users with the a role named the same as the
|
|
service account) can also retrieve Postgres database credentials for
|
|
the service account.
|
|
|
|
## Technical details
|
|
|
|
- User passwords will be stored using scrypt.
|
|
- The service account tokens and user/password authentication can be
|
|
used to obtain a JWT, if that is appropriate.
|
|
- All authentication events should be logged.
|
|
- This service should use the packages contained in
|
|
git.wntrmute.dev/kyle/goutils for logging etc.
|
|
|
|
## Interfaces
|
|
|
|
- The primary interface will be an REST API over HTTPS. TLS security is
|
|
critical for this.
|
|
- There should be two command line tools associated with MCIAS:
|
|
- mciassrv is the authentication server.
|
|
- mciasctl is the tool for admins to create and manage accounts, issue
|
|
or revoke tokens, and manage postgres database credentials.
|
|
|
|
## Structure
|
|
|
|
+ The system should be runnable through a cobra CLI tool, with
|
|
subcommands implemented as wrappers around packages.
|
|
+ The REST API code should be under the `api` directory.
|
|
+ The system should be backed by a single SQLite database whose schema
|
|
is stored in `schema.sql`.
|
|
|
|
## Writing code
|
|
|
|
+ Junie should write and run tests to validate correctness.
|
|
+ The tests should be runnable with just `go test` (with
|
|
any approporiate arguments).
|
|
+ Junie should validate the build and ensure that the code is
|
|
properly linted. Junie should use `golangci-lint` for this.
|
|
+ Junie should elide trivial comments, only write comments where it
|
|
is beneficial to provide exposition on the code, and ensure any
|
|
comments are complete English sentences.
|
|
|
|
## Notes
|
|
|
|
This is a security system, so care should be taken towards
|
|
correctness. |