Page Comparison

Introduction

...

# go to soajs directory
cd /opt/soajs/node_modules

# install urac
npm install soajs.urac

# go to urac directory
cd /opt/soajs/node_modules/soajs.urac
# export necessary environment variables
export SOAJS_PROFILE=/opt/soajs/node_modules/soajs.utilities/data/getStarted/profile.js
export SOAJS_ENV=test
export SOAJS_SRVIP=127.0.0.1

# run urac
node .

URAC is now running on http://127.0.0.1:4001 and will be used to login with different users. Therefore, its maintenance port is 5001.

Next, a heartbeat request is sent to check the health of the URAC service.

curl -X GET "http://127.0.0.1:5001/heartbeat"

...

# go to correct directory
cd /opt/soajs/node_modules/soajs.examples/example03/

# export necessary environment variables
export SOAJS_PROFILE=/opt/soajs/node_modules/soajs.utilities/data/getStarted/profile.js
export SOAJS_ENV=test
export SOAJS_SRVIP=127.0.0.1

# start service
node .

The service is now running and listens on port 4012. Therefore, its maintenance port is 5012.

Next, a heartbeat request is sent to check the health of the service.

curl -X GET "http://127.0.0.1:5012/heartbeat"

...

{"result": true,"data": {"tenantName": "Client Two","fullName": "John Thomas"},"soajsauth": "Basic c29hanM6czAxMjlsdlY5QTBZOW5Xd1JFVjJ0NEF0NXVyQjBtQkNydmc="}

testGet using application3: Tenant2, package2

...

{"result": true,"data": {"firstName": "John","lastName": "Smith"},"soajsauth": "Basic c29hanM6czAxYjd3N0NpUWtpVlMtbWsxcG1NbUZDSDNUYmQzSWZzbWk="}

buildName using application4: Tenant3, package3

...

{"result": true,"data": {"tenantName": "Client Three","fullName": "John Smith"},"soajsauth": "Basic c29hanM6czAxb0VPakE3NTc3djh4MnNlYmVXVm5Tc0pDNVU5Y3pVYlM="}

testGet using application4: Tenant3, package3

...

{"result": false,"errors": {"codes":[135159],"details":[{"code":135159,"message":"ErrorSystem api occurredaccess whileis redirectingrestricted. yourapi requestis tonot thein serviceprovision."}]}}

If we look at the terminal that is running the service "example03controller", we will see a more in-depth error message:

(/opt/soajs/node_modules/soajs/servers/servicecontroller.js:667419 in logErrors): System api access is restricted. api is not in provision.

...

The above table shows three users. Each user has the ability to override the permissions their tenant, and its attributed package.
The examples that follow aim to present how a user can override the ACL permissions of the tenant it belongs to AND/OR the package that the tenant is using.

In addition to that, the examples will show that the user also has the ability to change these configurations, which, in this case, is "tenant name".

User1 Tests

URAC OAUTH Login

Before using the service APIs, a user must be authenticated to the service. Each of the three users has a password. The first step would be to login to URACOAUTH

with a user, and receiving an authentication access token. This authentication access token must be attached to each request.

curl -X POSTGET -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/uracoauth/login" -d "username=user1&password=123456"

authorization"

The key in the request above is the tenant key.

{"result":true,"data":"Basic MTBkMmNiNWZjMDRjZTUxZTA2MDAwMDAxOnNoaGggdGhpcyBpcyBhIHNlY3JldA=="}

curl -X POST -H "Authorization:Basic MTBkMmNiNWZjMDRjZTUxZTA2MDAwMDAxOnNoaGggdGhpcyBpcyBhIHNlY3JldA==" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/oauth/token" -d "username=user1&password=123456&grant_type=password"

{"token_type":"bearer","access_token":"a188a7fcb411a05159aaf4c97e7321eb77fb0f66","expires_in":7200,"refresh_token":"9e67bd8055e953240eaf91daabe7ecdc206f941b"}

curl -X GET -H "key: 4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" -H "access_token: a188a7fcb411a05159aaf4c97e7321eb77fb0f66" "http://127.0.0.1:4000/urac/account/getUser?username=user1"

{"result":true,"data":{"_id":"54ee1a511856706c23639308","username":"user1","firstName":"user","lastName":"one","email":"user1@domain.com","ts":1480679707835,"status":"active","profile":{},"groups":["gold"],"tenant":{"id":"54ee2150b7a669fc22b7f6b9","code":"TNT1"},"config":{},"groupsConfig":[]},"soajsauth":"Basic c29hanM6QzAzd1ZqdVMtT1ZVTjNCcFZzd2xoQXNKMDdnOG9KNzRqak8="}

...

The corresponding response prove the above statement. User2 overrode the package ACL and obtained full access to the service's APIs

{"result":true,"data":{"firstName":"John","lastName":"Smith"},"soajsauth":"Basic c29hanM6QzAyWWNjQXdaSDBYSnhTMkJ5ejAzZG5RZ1BOdXFFd0d4UmM="}

...