RSS
 

CouchDB Security in Ruby

30 Oct

To get some background on couchDB security read here.

All the code samples below, require the Restclient rubygem. You can install it with the command:

gem install rest-client

And Require it in your code with:

require 'rest_client'

Let’s say your couchDB is in Admin Party mode. To end the admin party and add an admin user:

RestClient.put 'http://127.0.0.1:5984/_config/admins/james', '"ssstepin"',{:content_type => :json}

james is the name of the new admin, and his password is ssstepin. The password needs to be enclosed in double quote,to denote a string in the couchDB configuration.

To authenticate the admin user:

response = RestClient.post 'http://127.0.0.1:5984/_session', 'name=james&password=ssstepin',{:content_type => 'application/x-www-form-urlencoded'}
puts response.cookies
# => {"AuthSession"=>"b2tlOjRFQUJCNzE0OkXtpl9cxR_zbIxvlvW2J60txIwT", "Version"=>"1", "Path"=>"%2F"}

This returns the authentication token for making future requests, on behalf of the authenticated user.

To add a new admin user:

RestClient.put 'http://127.0.0.1:5984/_config/admins/david', '"wuzz234"',{:cookies => {"AuthSession" => "b2tlOjRFQUJCNzE0OkXtpl9cxR_zbIxvlvW2J60txIwT"}}

We added a new admin david with password wuzz234, we made the request on behalf of james (see the AuthSession token, we are using the same token generated for james).

To delete the new admin user:

RestClient.delete 'http://127.0.0.1:5984/_config/admins/david',{:cookies => {"AuthSession" => "b2tlOjRFQUJCNzE0OkXtpl9cxR_zbIxvlvW2J60txIwT"}}

We deleted the admin david, we made the request on behalf of james (see the AuthSession token). If you delete all admins CouchDB will switch back to Admin Party.

To create a non-admin user:

salt = "somerandomstring123"
password = "seenow109"
password_sha = Digest::SHA1.hexdigest(password + salt)
 
user_hash = { :type => "user",
                   :name => "nancy",
                   :password_sha => password_sha,
                   :salt => salt,
                   :roles => []
                  }
 
 
 str = Yajl::Encoder.encode(user_hash)
 
RestClient.put "http://127.0.0.1:5984/_users/org.couchdb.user:nancy", str, {:content_type => :json, :accept => :json}

We created the non-admin user nancy with password seenow109. The above code implements in ruby code the security features explained here. Note that non-admins are authenticated with the same API call as admins.

To create a new database with the authenticated admin user:

RestClient.put 'http://127.0.0.1:5984/contacts', {:content_type => :json},{:cookies => {"AuthSession" => "b2tlOjRFQUJCNzE0OkXtpl9cxR_zbIxvlvW2J60txIwT"}}

We created a new database called contacts. This request was made by the user james, notice the AuthSession token in the request.

To add a security object to the contacts database:

security_hash = { :admins => {"names" => ["nancy"], "roles" => ["admin"]},
                   :readers => {"names" => ["nancy"],"roles"  => ["admin"]}
                  }
security = Yajl::Encoder.encode(security_hash)
 
response = RestClient.put 'http://127.0.0.1:5984/contacts/_security',security,{:cookies => {"AuthSession" => "b2tlOjRFQUJCNzE0OkXtpl9cxR_zbIxvlvW2J60txIwT"}}

The above example uses the yajl-ruby gem to encode the ruby hash to JSON.

To add a new document to the contacts database with the authenticated user session

data = { :name => 'sunny',
         :email => 'sunny@winter.com'
         }
 
 str = Yajl::Encoder.encode(data)
 
 RestClient.put "http://127.0.0.1:5984/contacts/sunny", str, {:cookies => {"AuthSession" => "b2tlOjRFQUJCNzE0OkXtpl9cxR_zbIxvlvW2J60txIwT"}}

We added a document with _id sunny to the contacts database. The above example also uses the yajl-ruby gem for json encoding.

I hope this was helpful. If you find any errors or have suggestions please let me know in the comments.

 
 

Tags: , ,

 
Premium Wordpress Plugin