mirror of
https://github.com/IT4Change/gradido.git
synced 2025-12-13 07:45:54 +00:00
add details about stage-1 and stage-2, still ongoing
This commit is contained in:
Claus-Peter Hübner
parent
62e3eabef9
commit
3dbb406d7c
@ -221,14 +221,50 @@ For the first federation release the DHT-node will be part of the apollo server,
|
||||
|
||||
### Stage2 - Authentication
|
||||
|
||||
The 2nd stage of federation is called authentication, because during the 1st stage the hyperswarm dht only ensures the knowledge that one node is the owner of its keypairs pubkey and private key. The exchanged data between two nodes during the *direct exchange* on the hyperswarm dht channel must be verified, means ensure if the proclaimed url and apiversion of a node is the correct address to reach the same node outside the hyperswarm infrastructure.
|
||||
The 2nd stage of federation is called *authentication*, because during the 1st stage the *hyperswarm dht* only ensures the knowledge that one node is the owner of its keypairs *pubkKy* and *privateKey*. The exchanged data between two nodes during the *direct exchange* on the *hyperswarm dht channel* must be verified, means ensure if the proclaimed *url(s)* and *apiversion(s)* of a node is the correct address to reach the same node outside the hyperswarm infrastructure.
|
||||
|
||||
As mentioned before the *DHT-node* invokes the *authentication* stage on *apollo server* *graphQL* with the previous stored data of the foreign node.
|
||||
|
||||
#### Sequence - view of existing Community
|
||||
|
||||
1. the authentication stage starts by reading for the *foreignNode* from the previous federation step all necessary data
|
||||
1. select with the *foreignNode.pubKey* from the tables *CommunityFederation* and *CommunityApiVersion* where *CommunityApiVersion.validFrom* <= NOW
|
||||
2. the resultSet will be a list of data with the following attributes
|
||||
* foreignNode.pubKey
|
||||
* foreignNode.url
|
||||
* foreignNode.apiVersion
|
||||
2. read the own keypair and uuid by `select uuid, privateKey, pubKey from CommunityFederation cf where cf.foreign = FALSE`
|
||||
3. for each entry of the resultSet do
|
||||
1. encryptedURL = encrypting the foreignNode.url and foreignNode.apiVersion with the foreignNode.pubKey
|
||||
2. signedAndEncryptedURL = sign the result of the encryption with the own privateKey
|
||||
3. invoke the request `https://<foreignNode.url>/<foreignNode.apiVersion/openConnection(own.pubKey, signedAndEncryptedURL )`
|
||||
4. the foreign node will response immediately with an empty response OK, otherwise break the authentication stage with en error
|
||||
4. the foreign node will process the request on its side - see [description below](#Sequence - view of new Community) - and invokes a redirect request base on the previous exchanged data during stage1 - Federation. This could be more than one redirect request depending on the amount of supported urls and apiversions we propagate to the foreignNode before.
|
||||
5. for each received request `https://<own.url>/<own.apiVersion/openConnectionRedirect(onetimecode, foreignNode.url, encryptedRedirectURL )` do
|
||||
1. with the given parameter the following steps will be done
|
||||
1. search for the foreignNode.pubKey by `select cf.pubKey from CommunityApiVersion cav, CommunityFederation cf where cav.url = foreignNode.url and cav.communityFederationID = cf.id`
|
||||
2. decrypt with the `own.privateKey` the received `encryptedRedirectURL` parameter, which contains a full qualified url inc. apiversion and route
|
||||
3. verify signature of `encryptedRedirectURL` with the previous found foreignNode.pubKey from the own database
|
||||
4. if the decryption and signature verification are successful then encrypt the own.uuid with the own.privateKey
|
||||
5. invoke the redirect request with https://`<redirect.URL>(onetimecode, encryptedOwnUUID)` and
|
||||
6. wait for the response with the `encryptedForeignUUID`
|
||||
7. decrypt the `encrpytedForeignUUID` with the foreignNode.pubKey
|
||||
8. write the encrypted foreignNode.UUID in the database by updating the CommunityFederation table per `update CommunityFederation cf set values (cf.uuid = foreignNode.UUID, cf.pubKeyVerifiedAt = NOW) where cf.pubKey = foreignNode.pubkey`
|
||||
|
||||
After all redirect requests are process, all relevant authentication data of the new community are well know here and stored in the database.
|
||||
|
||||
|
||||
#### Sequence - view of new Community {Sequence - view of new Community}
|
||||
|
||||
ongoing
|
||||
|
||||
As mentioned the DHT-node invokes the authentication stage on apollo server with the received data from *direct exchange*.
|
||||
|
||||
#### Sequence
|
||||
|
||||
### Stage3 - Autorized Business Communication
|
||||
|
||||
ongoing
|
||||
|
||||
|
||||
# Review von Ulf
|
||||
|
||||
## Communication concept
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
<mxfile host="65bd71144e">
|
||||
<diagram id="jqy9GLoHfEna4h-l2pXZ" name="Seite-1">
|
||||
<mxGraphModel dx="2893" dy="1778" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="2336" pageHeight="1654" math="0" shadow="0">
|
||||
<mxGraphModel dx="1302" dy="800" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="2336" pageHeight="1654" math="0" shadow="0">
|
||||
<root>
|
||||
<mxCell id="0"/>
|
||||
<mxCell id="1" parent="0"/>
|
||||
@ -140,9 +140,9 @@
|
||||
<mxPoint x="1045" y="601" as="targetPoint"/>
|
||||
</mxGeometry>
|
||||
</mxCell>
|
||||
<mxCell id="50" value="<b>&nbsp; request: </b>http://&lt;url_A&gt;/&lt;apiVer_A&gt;//<b>openConnectionRedirect</b>(<font color="#ff00ff"><b>onetimeCode</b></font>, url_B, encrypted <font color="#cc0000"><b>redirect_URL</b></font>)&nbsp;&nbsp;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=14;" parent="49" vertex="1" connectable="0">
|
||||
<mxCell id="50" value="<b>&nbsp; request: </b>http://&lt;url_A&gt;/&lt;apiVer_A&gt;//<b>openConnectionRedirect</b>(<font color="#ff00ff"><b>onetimeCode</b></font>, url_B, encrypted and signed&nbsp;<font color="#cc0000"><b>redirect_URL</b></font>)&nbsp;&nbsp;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];fontSize=14;" parent="49" vertex="1" connectable="0">
|
||||
<mxGeometry x="0.255" y="2" relative="1" as="geometry">
|
||||
<mxPoint x="72" y="-3" as="offset"/>
|
||||
<mxPoint x="97" y="-1" as="offset"/>
|
||||
</mxGeometry>
|
||||
</mxCell>
|
||||
<mxCell id="132" style="edgeStyle=none;html=1;fontColor=#FF0000;startArrow=none;startFill=0;endArrow=none;endFill=0;dashed=1;exitX=0;exitY=0.75;exitDx=0;exitDy=0;" parent="1" source="51" edge="1">
|
||||
@ -158,7 +158,7 @@
|
||||
<Array as="points"/>
|
||||
</mxGeometry>
|
||||
</mxCell>
|
||||
<mxCell id="53" value="<font color="#009900">pubkey_A of url_A</font><br>==&nbsp;<font color="#ff0000">pubkey_A</font>?" style="rhombus;whiteSpace=wrap;html=1;fontSize=14;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1">
|
||||
<mxCell id="53" value="<span style="color: rgb(0 , 153 , 0)">url_A of&nbsp;</span><font color="#009900">pubkey_A</font><br>==&nbsp;<font color="#ff0000">url_A</font>?" style="rhombus;whiteSpace=wrap;html=1;fontSize=14;fillColor=#dae8fc;strokeColor=#6c8ebf;" parent="1" vertex="1">
|
||||
<mxGeometry x="1998.14" y="880.25" width="150" height="70" as="geometry"/>
|
||||
</mxCell>
|
||||
<mxCell id="55" value="<div style="text-align: center"><span>&nbsp; &nbsp; &nbsp; &nbsp;existing infrastructure Community-A</span></div>" style="rounded=1;whiteSpace=wrap;html=1;verticalAlign=top;fontStyle=1;fontSize=14;align=left;fillColor=#d5e8d4;strokeColor=#82b366;gradientColor=#97d077;" parent="1" vertex="1">
|
||||
@ -246,7 +246,7 @@
|
||||
<Array as="points"/>
|
||||
</mxGeometry>
|
||||
</mxCell>
|
||||
<mxCell id="100" value="encrypt redirect_URL&nbsp;&nbsp;<br>with <font color="#009900">publickey_A</font> + sign with <font color="#009900">privatKey_B</font>" style="rounded=0;whiteSpace=wrap;html=1;fontSize=14;fillColor=#dae8fc;strokeColor=#6c8ebf;align=left;" parent="1" vertex="1">
|
||||
<mxCell id="100" value="encrypt redirect_URL (inc. apiVersion)&nbsp;&nbsp;<br>with <font color="#009900">publickey_A</font> + sign with <font color="#009900">privatKey_B</font>" style="rounded=0;whiteSpace=wrap;html=1;fontSize=14;fillColor=#dae8fc;strokeColor=#6c8ebf;align=left;" parent="1" vertex="1">
|
||||
<mxGeometry x="1406.8600000000001" y="951" width="276.28" height="40" as="geometry"/>
|
||||
</mxCell>
|
||||
<mxCell id="101" value="" style="endArrow=classic;html=1;fontSize=14;fontColor=#FF8000;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;startArrow=none;startFill=0;endFill=1;" parent="1" source="83" target="100" edge="1">
|
||||
@ -300,7 +300,7 @@
|
||||
<mxPoint x="2325" y="1330" as="targetPoint"/>
|
||||
</mxGeometry>
|
||||
</mxCell>
|
||||
<mxCell id="120" value="search <font color="#ff0000"><b>url_A</b></font>&nbsp;in <br>local Community-List" style="rounded=0;whiteSpace=wrap;html=1;fontSize=14;fillColor=#dae8fc;strokeColor=#6c8ebf;align=left;" parent="1" vertex="1">
|
||||
<mxCell id="120" value="search <font color="#ff0000"><b>pubKey_A</b></font>&nbsp;in <br>local Community-List" style="rounded=0;whiteSpace=wrap;html=1;fontSize=14;fillColor=#dae8fc;strokeColor=#6c8ebf;align=left;" parent="1" vertex="1">
|
||||
<mxGeometry x="1613.14" y="896" width="140" height="40" as="geometry"/>
|
||||
</mxCell>
|
||||
<mxCell id="121" value="" style="endArrow=classic;html=1;fontSize=14;fontColor=#FF8000;entryX=0;entryY=0.5;entryDx=0;entryDy=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;endFill=1;" parent="1" source="51" target="120" edge="1">
|
||||
|
||||
Binary file not shown.
|
Before Width: | Height: | Size: 653 KiB After Width: | Height: | Size: 653 KiB |
Loading…
x
Reference in New Issue
Block a user