6a59d34bb1
Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
272 lines
9.0 KiB
Plaintext
272 lines
9.0 KiB
Plaintext
# Authentication and Authorization Recipes
|
|
# ========================================
|
|
# JWT authentication, MFA enrollment, session management, and token operations
|
|
|
|
# ============================================================================
|
|
# Authentication - Login & Logout
|
|
# ============================================================================
|
|
|
|
# Login to provisioning platform
|
|
@auth-login USER:
|
|
echo "🔐 Logging in as {{USER}}..."
|
|
provisioning auth login {{USER}}
|
|
echo "✅ Login successful"
|
|
|
|
@auth-login-url USER URL:
|
|
#!/usr/bin/env bash
|
|
echo "🔐 Logging in as {{USER}} to {{URL}}..."
|
|
provisioning auth login {{USER}} --url {{URL}}
|
|
echo "✅ Login successful"
|
|
|
|
@auth-logout:
|
|
echo "👋 Logging out..."
|
|
provisioning auth logout
|
|
echo "✅ Logged out successfully"
|
|
|
|
@auth-status:
|
|
echo "📊 Authentication Status"
|
|
echo "========================"
|
|
provisioning auth status
|
|
|
|
@whoami: auth-status
|
|
|
|
# ============================================================================
|
|
# Session Management
|
|
# ============================================================================
|
|
|
|
# List all active sessions
|
|
@auth-sessions:
|
|
echo "📋 Active Sessions"
|
|
echo "=================="
|
|
provisioning auth sessions
|
|
|
|
@auth-sessions-detailed:
|
|
#!/usr/bin/env bash
|
|
echo "📋 Active Sessions (Detailed)"
|
|
echo "============================="
|
|
provisioning auth sessions --detailed
|
|
|
|
@auth-revoke-session SESSION_ID:
|
|
echo "🚫 Revoking session {{SESSION_ID}}..."
|
|
provisioning auth revoke-session {{SESSION_ID}}
|
|
echo "✅ Session revoked"
|
|
|
|
@auth-revoke-all:
|
|
echo "🚫 Revoking all sessions except current..."
|
|
provisioning auth revoke-all
|
|
echo "⚠️ All other sessions have been revoked"
|
|
|
|
# Token Management
|
|
# ============================================================================
|
|
|
|
# Refresh authentication token
|
|
@auth-refresh:
|
|
echo "🔄 Refreshing authentication token..."
|
|
provisioning auth refresh
|
|
echo "✅ Token refreshed"
|
|
|
|
@auth-token-info:
|
|
echo "🔍 Access Token Information"
|
|
echo "==========================="
|
|
provisioning auth token info
|
|
|
|
@auth-validate:
|
|
echo "✅ Validating current token..."
|
|
provisioning auth validate
|
|
|
|
# MFA - Multi-Factor Authentication
|
|
# ============================================================================
|
|
|
|
# Enroll in TOTP (Time-based One-Time Password) MFA
|
|
@mfa-enroll-totp:
|
|
echo "📱 Enrolling in TOTP MFA"
|
|
echo "========================"
|
|
echo "This will generate a QR code to scan with your authenticator app"
|
|
echo "(Google Authenticator, Authy, 1Password, etc.)"
|
|
echo ""
|
|
provisioning auth mfa enroll totp
|
|
|
|
@mfa-enroll-webauthn:
|
|
echo "🔑 Enrolling in WebAuthn MFA"
|
|
echo "============================"
|
|
echo "Please prepare your security key (YubiKey, Touch ID, etc.)"
|
|
echo ""
|
|
provisioning auth mfa enroll webauthn
|
|
|
|
@mfa-verify CODE:
|
|
#!/usr/bin/env bash
|
|
echo "✅ Verifying MFA code..."
|
|
provisioning auth mfa verify --code {{CODE}}
|
|
|
|
@mfa-devices:
|
|
echo "📱 Enrolled MFA Devices"
|
|
echo "======================="
|
|
provisioning auth mfa devices
|
|
|
|
@mfa-remove-device DEVICE_ID:
|
|
echo "🗑️ Removing MFA device {{DEVICE_ID}}..."
|
|
provisioning auth mfa remove-device {{DEVICE_ID}}
|
|
echo "✅ Device removed"
|
|
|
|
@mfa-backup-codes:
|
|
echo "🔑 Generating MFA Backup Codes"
|
|
echo "==============================="
|
|
echo "⚠️ Store these codes securely - they can only be used once"
|
|
echo ""
|
|
provisioning auth mfa backup-codes
|
|
|
|
# User Management
|
|
# ============================================================================
|
|
|
|
# Show current user profile
|
|
@auth-profile:
|
|
echo "👤 User Profile"
|
|
echo "==============="
|
|
provisioning auth profile
|
|
|
|
@auth-profile-update:
|
|
echo "✏️ Updating user profile..."
|
|
provisioning auth profile update
|
|
|
|
@auth-change-password:
|
|
echo "🔑 Changing password..."
|
|
provisioning auth change-password
|
|
|
|
# Quick Workflows
|
|
# ============================================================================
|
|
|
|
# Complete login workflow with MFA enrollment guidance
|
|
@auth-login-full USER:
|
|
echo "🚀 Complete Login Workflow"
|
|
echo "=========================="
|
|
echo "Logging in as {{USER}}..."
|
|
provisioning auth login {{USER}}
|
|
echo ""
|
|
echo "📱 MFA Setup (if not already enrolled)"
|
|
echo "======================================"
|
|
echo "To enroll in TOTP MFA: just mfa-enroll-totp"
|
|
echo "To enroll in WebAuthn: just mfa-enroll-webauthn"
|
|
echo ""
|
|
echo "✅ Login complete!"
|
|
|
|
@auth-login-prod USER:
|
|
#!/usr/bin/env bash
|
|
echo "🏭 Production Login"
|
|
echo "==================="
|
|
echo "⚠️ MFA required for production operations"
|
|
echo ""
|
|
provisioning auth login {{USER}}
|
|
echo ""
|
|
echo "Please verify MFA code:"
|
|
read -p "Enter MFA code: " CODE && provisioning auth mfa verify --code $CODE
|
|
echo ""
|
|
echo "✅ Production login complete"
|
|
|
|
@auth-quick:
|
|
echo "⚡ Quick Re-authentication"
|
|
echo "=========================="
|
|
provisioning auth refresh
|
|
echo "✅ Token refreshed - you are authenticated"
|
|
|
|
# Troubleshooting
|
|
# ============================================================================
|
|
|
|
# Test authentication flow
|
|
@auth-test:
|
|
echo "🧪 Testing Authentication Flow"
|
|
echo "==============================="
|
|
echo ""
|
|
echo "1. Testing token validation..."
|
|
provisioning auth validate || echo "⚠️ Token invalid or expired"
|
|
echo ""
|
|
echo "2. Checking session status..."
|
|
provisioning auth status
|
|
echo ""
|
|
echo "3. Listing active sessions..."
|
|
provisioning auth sessions
|
|
echo ""
|
|
echo "✅ Authentication test complete"
|
|
|
|
@auth-config:
|
|
echo "⚙️ Authentication Configuration"
|
|
echo "================================="
|
|
provisioning config get auth
|
|
echo ""
|
|
echo "JWT Configuration:"
|
|
provisioning config get jwt
|
|
|
|
@auth-reset:
|
|
#!/usr/bin/env bash
|
|
echo "🔄 Resetting Authentication"
|
|
echo "==========================="
|
|
echo "⚠️ This will log out all sessions and clear tokens"
|
|
read -p "Continue? (y/N): " -n 1 -r
|
|
echo
|
|
if [[ $REPLY =~ ^[Yy]$ ]]; then
|
|
provisioning auth logout --all
|
|
echo "✅ Authentication reset complete"
|
|
else
|
|
echo "❌ Cancelled"
|
|
fi
|
|
|
|
# Help
|
|
# ============================================================================
|
|
|
|
# Show authentication help
|
|
@auth-help:
|
|
echo "🔐 AUTHENTICATION RECIPES"
|
|
echo "========================="
|
|
echo ""
|
|
echo "📥 LOGIN & LOGOUT"
|
|
echo " just auth-login <user> - Login to platform"
|
|
echo " just auth-login-url <user> <url> - Login with custom URL"
|
|
echo " just auth-logout - Logout current session"
|
|
echo " just whoami - Show current user status"
|
|
echo ""
|
|
echo "🎫 SESSION MANAGEMENT"
|
|
echo " just auth-sessions - List active sessions"
|
|
echo " just auth-sessions-detailed - List with details"
|
|
echo " just auth-revoke-session <id> - Revoke specific session"
|
|
echo " just auth-revoke-all - Revoke all other sessions"
|
|
echo ""
|
|
echo "🔑 TOKEN MANAGEMENT"
|
|
echo " just auth-refresh - Refresh access token"
|
|
echo " just auth-token-info - Show token details"
|
|
echo " just auth-validate - Validate current token"
|
|
echo ""
|
|
echo "📱 MFA (Multi-Factor Authentication)"
|
|
echo " just mfa-enroll-totp - Enroll in TOTP MFA"
|
|
echo " just mfa-enroll-webauthn - Enroll in WebAuthn MFA"
|
|
echo " just mfa-verify <code> - Verify MFA code"
|
|
echo " just mfa-devices - List enrolled devices"
|
|
echo " just mfa-remove-device <id> - Remove MFA device"
|
|
echo " just mfa-backup-codes - Generate backup codes"
|
|
echo ""
|
|
echo "👤 USER MANAGEMENT"
|
|
echo " just auth-profile - Show user profile"
|
|
echo " just auth-profile-update - Update profile"
|
|
echo " just auth-change-password - Change password"
|
|
echo ""
|
|
echo "🚀 QUICK WORKFLOWS"
|
|
echo " just auth-login-full <user> - Complete login with MFA setup"
|
|
echo " just auth-login-prod <user> - Production login (MFA required)"
|
|
echo " just auth-quick - Quick re-authentication"
|
|
echo ""
|
|
echo "🔧 TROUBLESHOOTING"
|
|
echo " just auth-test - Test authentication flow"
|
|
echo " just auth-config - Show configuration"
|
|
echo " just auth-reset - Reset all authentication"
|
|
echo ""
|
|
echo "💡 EXAMPLES"
|
|
echo " # Basic login"
|
|
echo " just auth-login alice"
|
|
echo ""
|
|
echo " # Production workflow"
|
|
echo " just auth-login-prod alice"
|
|
echo ""
|
|
echo " # Setup MFA"
|
|
echo " just mfa-enroll-totp"
|
|
echo ""
|
|
echo " # Check status"
|
|
echo " just whoami"
|