Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
gopal-mahajan committed Nov 10, 2023
2 parents afe41a7 + 529dfad commit ce1ac04
Show file tree
Hide file tree
Showing 10 changed files with 297 additions and 710 deletions.
164 changes: 86 additions & 78 deletions docs/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,14 @@ openapi: 3.0.0
info:
version: 1.0.0
title: Data-Exchange-ACL-APD
description: API specification for ACL APD. These APIs are used by users manage policy. These APIs requires valid token for authentication.
description: |
# Introduction
**Data Exchange (DX) Access Control Layer (ACL) and Access Policy Domain (APD)** are designed for creating and managing policies for consumers and consumer delegates.
This allows providers and provider delegates to control access to their resources by consumers and consumer delegates.
This API specification for ACL APD requires a valid identity token from the **Data Exchange (DX) Authentication Authorization and Accounting (AAA) Server** for authentication purposes.
contact:
name: For support contact IUDX Team at
email: [email protected]
Expand Down Expand Up @@ -455,23 +462,20 @@ paths:
- Access Request
summary: List Access Requests
description: |-
Lists all the access requests of the user calling the API. The response depends on the roles the user has
Lists all the access requests of the user calling the API regardless of the state of the access requests. The response depends on the roles the user has
- `provider` : The requests that are present for the items owned by a provider are returned.
- `consumer` : The requests which are created by the consumer are returned.
- `provider` : The requests that are present for the items owned by a provider/provider delegate are returned.
- `consumer` : The requests which are created by the consumer/consumer delegate are returned.
<br>
<br>
`Note:` The response displays the requests of / for a user with respect to a particular server.
## Delegate
A delegate may use the API to view policies on behalf of their provider. The user info of the delegator must be present in the token issued by the Data Exchange AAA
operationId: get-auth-v1-policies-requests
parameters:
- name: Authorization
in: header
description: AAA issued token
description: AAA issued Identity token
required: true
schema:
type: string
Expand All @@ -494,9 +498,10 @@ paths:
title: Success
results:
- requestId: ea48d233-5d3b-4bdb-9545-691680c99cee
itemId: pune-env-flood-FWR056"
itemId: sf50d232-5d3y-rbds-4758-691680c99defa
itemType: RESOURCE
status: pending
resourceServerUrl: rs.iudx.io
status: PENDING
expiryAt: '2024-03-05T20:00:19'
constraints:
access:
Expand Down Expand Up @@ -553,14 +558,15 @@ paths:
- Access Request
summary: Create Access Request
description: |-
Access requests are made by consumers to request a provider to grant access to the provider's resources. Providers or their associated delegates may choose to approve or reject the request. On approval, a policy is written for the consumer for said resource. On rejection, no policy is written.
Access requests are made by consumer/consumer delegate to request a provider to grant access to the provider's resources.
A provider will be notified whenever the consumer creates an access request.
Users with the `consumer` role can request access for a resource/resource group
Users with the consumer/consumer delegate role can request access for a resource/resource group
operationId: post-auth-v1-policies-requests
parameters:
- name: Authorization
in: header
description: AAA Issued token
description: AAA Issued Identity token
required: true
schema:
type: string
Expand All @@ -569,20 +575,19 @@ paths:
pattern: '^[a-zA-Z0-9_*\-*\.\/]+$'
requestBody:
description: |
- `itemId` : The catalogue ID of the item for which the request is to be created.(UUID)
- `itemId` : The catalogue ID of the item for which the request is to be created
- `itemType` : The type of the resource being requested for, it could be either RESOURCE or RESOURCE_GROUP
required: true
content:
application/json:
schema:
type: object
additionalProperties: false
properties:
itemId:
type: string
format: uuid
pattern: '^[0-9a-f]{8}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{12}$'
minLength: 36

itemType:
enum:
- RESOURCE_GROUP
Expand Down Expand Up @@ -645,20 +650,6 @@ paths:
schema:
type: string
description: application/json
'403':
description: |-
Forbidden
- Resource being requested for is forbidden to access
- Consumer trying to access a resource not belonging to the same server
content:
application/json:
schema:
$ref: '#/components/schemas/createNotificationForbiddenResponse'
headers:
Content-Type:
schema:
type: string
description: application/json

'404':
description: |-
Expand Down Expand Up @@ -696,7 +687,7 @@ paths:
- Access Request
summary: Update Access Request
description: |
Providers or delegates can choose to approve or reject **pending** access requests associated with their resources.
Providers or provider delegates can choose to approve or reject **pending** access requests associated with their resources.
If the request is approved
- The request is modified to the `approved` state
Expand All @@ -705,13 +696,12 @@ paths:
If the request is rejected
- The request is modified to the `rejected` state
## Delegate
A delegate may use the API to view policies on behalf of their provider. This is done by passing the userInfo of the delegator which must be present in the token issued by the AAA.
operationId: put-auth-v1-policies-requests
parameters:
- name: Authorization
in: header
description: AAA Issued token
description: AAA Issued Identity token
required: true
schema:
type: string
Expand All @@ -720,34 +710,53 @@ paths:
pattern: '^[a-zA-Z0-9_*\-*\.\/]+$'
requestBody:
description: |-
- `requestId` : ID of the request. Can get this `id` by using the list policy API.
- `status` : The `provider` or `Auth delegate` can update the status to `granted` or `rejected`.
- `requestId` : ID of the request. Can get this `id` by using the GET Access request API.
- `status` : The `provider` or `provider delegate` can update the status to `granted` or `rejected`.
- `expiryAt` : expiration time stamp of the policy that will be created (Only present for the granted requests).
- `constraints` : constraints for the policy if request is granted.
- `constraints` : constraints for the access request if it is granted.
required: true
content:
application/json:
schema:
type: object
properties:
requestId:
type: string
format: uuid
pattern: '^[0-9a-f]{8}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{12}$'
minLength: 36

status:
enum:
- granted
- rejected
minLength: 1
expiryAt:
type: string
constraints:
oneOf:
- title: approve access request
additionalProperties: false
type: object
required:
- requestId
- status
properties:
requestId:
type: string
format: uuid
pattern: '^[0-9a-f]{8}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{12}$'
status:
type: string
enum:
- granted
expiryAt:
type: string
constraints:
type: object
required:
- requestId
- status
- expiryAt
- constraints

- title : reject access request
additionalProperties: false
type: object
properties:
requestId:
type: string
format: uuid
pattern: '^[0-9a-f]{8}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{12}$'
status:
type: string
enum:
- rejected
required:
- requestId
- status

x-examples:
example-1:
requestId: bca11712-f381-46a5-afa3-a29b00568ace
Expand Down Expand Up @@ -827,7 +836,7 @@ paths:
'403':
description: |-
Forbidden
- User does not own the policy or is not a delegate to the owner of the policy
- User does not own the resource for which a policy is to be created
content:
application/json:
schema:
Expand All @@ -854,14 +863,14 @@ paths:
- Access Request
summary: Withdraw Access Request
description: |-
A consumer may choose to withdraw access requests they have created, **as long as they are still in the pending state**. A withdrawn request cannot be approved or rejected by the concerned provider.
A consumer/consumer may choose to withdraw access requests they have created, **as long as they are still in the pending state**. A withdrawn request cannot be approved or rejected by the concerned provider.
Only users with `consumer` role can call this API.
Only users with consumer/consumer delegate role can call this API.
operationId: delete-auth-v1-policies-requests
parameters:
- name: Authorization
in: header
description: AAA Issued token
description: AAA Issued Identity token
required: true
schema:
type: string
Expand All @@ -878,13 +887,12 @@ paths:
application/json:
schema:
type: object
additionalProperties: false
properties:
id:
type: string
format: uuid
pattern: '^[0-9a-f]{8}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{4}\b-[0-9a-f]{12}$'
minLength: 36

required:
- id
examples:
Expand All @@ -903,7 +911,7 @@ paths:
description: |-
Bad Request
- Errors or exceptions
- The ID is no longer in the `PENDING` status or has already been withdrawn earlier
- The access request is no longer in the `PENDING` status or has already been withdrawn earlier
content:
application/json:
schema:
Expand All @@ -916,14 +924,6 @@ paths:
application/json:
schema:
$ref: '#/components/schemas/deleteNotificationNotFound'
'403':
description: |-
Forbidden
- User does not own the policy or is not a delegate to the owner of the policy
content:
application/json:
schema:
$ref: '#/components/schemas/deleteNotificationForbiddenResponse'
'401':
description: |-
Unauthorized
Expand Down Expand Up @@ -1006,7 +1006,8 @@ components:
example:
type: urn:dx:acl:forbidden
title: Forbidden
detail: Request could not be updated, as it doesn't belong to the user
detail: "Access Denied: You do not have ownership rights for this resource."


updateNotificationNotFound:
title: Update notification not found
Expand Down Expand Up @@ -1072,7 +1073,7 @@ components:
example:
type: urn:dx:acl:conflict
title: Conflict
detail: Request could not be approved, as policy is already created
detail: Request could not be approved as, policy is already created

UpdateAccessRequest:
title: Delete notification forbidden
Expand Down Expand Up @@ -1158,7 +1159,7 @@ components:
example:
type: urn:dx:acl:resourceNotFound
title: Not Found
detail: Request could not be created, as resource is not found
detail: Request could not be created, as resource was not found

createNotificationConflictResponse:
title: Create notification conflict response
Expand Down Expand Up @@ -1772,15 +1773,18 @@ components:
itemType:
type: string
minLength: 1
resourceServerUrl:
type: string
minLength: 1
status:
type: string
minLength: 1
expiryDuration:
expiryAt:
type: string
minLength: 1
constraints:
type: object
user:
consumer:
type: object
properties:
id:
Expand All @@ -1805,7 +1809,7 @@ components:
- id
- email
- name
owner:
provider:
type: object
properties:
id:
Expand Down Expand Up @@ -1835,7 +1839,11 @@ components:
- itemId
- itemType
- status
- expiryDuration
- expiryAt
- resourceServerUrl
- constraints
- consumer
- provider
required:
- type
- title
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -164,7 +164,7 @@ public void start() throws Exception {

routerBuilder.rootHandler(TimeoutHandler.create(100000, 408));
configureCorsHandler(routerBuilder);
routerBuilder.rootHandler(BodyHandler.create());
routerBuilder.rootHandler(BodyHandler.create().setHandleFileUploads(false));
router = routerBuilder.createRouter();
putCommonResponseHeaders();
configureErrorHandlers(router);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -420,13 +420,16 @@ public Future<Boolean> isItemPresentInCatalogue(UUID resourceId, String itemType
}
});
} else {
LOG.debug(
"user does not have access to create notification as they're belonging "
+ "to a different server w.r.t to the resource");
JsonObject failureMessage =
new JsonObject()
.put(TYPE, HttpStatusCode.FORBIDDEN.getValue())
.put(TITLE, ResponseUrn.FORBIDDEN_URN.getUrn())
.put(TYPE, HttpStatusCode.NOT_FOUND.getValue())
.put(TITLE, ResponseUrn.RESOURCE_NOT_FOUND_URN.getUrn())
.put(
DETAIL,
"Access Denied: You do not have ownership rights for this resource");
"Access request could not be created, as resource was not found");
promise.fail(failureMessage.encode());
}
} else {
Expand Down
Loading

0 comments on commit ce1ac04

Please sign in to comment.