Introduction
...
| Code Block |
|---|
| language | bash |
|---|
| title | URAC Installation |
|---|
| linenumbers | true |
|---|
|
# go to soajs directory
cd /opt/soajs/node_modules
# install urac
npm install soajs.urac
# go to urac directory
cd /opt/soajs/node_modules/soajs.urac
# export necessary environment variables
export SOAJS_PROFILE=/opt/soajs/node_modules/soajs.utilities/data/getStarted/profile.js
export SOAJS_ENV=test
export SOAJS_SRVIP=127.0.0.1
# run urac
node . |
URAC is now running on http://127.0.0.1:4001 and will be used to login with different users. Therefore, its maintenance port is 5001.
Next, a heartbeat request is sent to check the health of the URAC service.
| Code Block |
|---|
| language | bash |
|---|
| title | URAC heartbeat |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:5001/heartbeat" |
...
| Code Block |
|---|
| language | bash |
|---|
| linenumbers | true |
|---|
|
# go to correct directory
cd /opt/soajs/node_modules/soajs.examples/example03/
# export necessary environment variables
export SOAJS_PROFILE=/opt/soajs/node_modules/soajs.utilities/data/getStarted/profile.js
export SOAJS_ENV=test
export SOAJS_SRVIP=127.0.0.1
# start service
node . |
The service is now running and listens on port 4012. Therefore, its maintenance port is 5012.
Next, a heartbeat request is sent to check the health of the service.
| Code Block |
|---|
| language | bash |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:5012/heartbeat" |
...
| Code Block |
|---|
|
(/opt/soajs/node_modules/soajs/servers/controller.js:419415 in logErrors): System api access is restricted. api is not in provision. |
...
| User | tenant | Overrides Package | Overrides Tenant | buildName | testGet | Custom Tenant Information |
|---|
| User1 | Tenant1 | NO | NO | NO | NO | NA |
| User2 | Tenant1 | YES | NO | YES | YES | Changes the tenant name |
| User3 | Tenant1 | NO | YES | YES | NO | Changes the tenant name |
The above table shows three users. Each user has the ability to override the permissions their tenant, and its attributed package.
The examples that follow aim to present how a user can override the ACL permissions of the tenant it belongs to AND/OR the package that the tenant is using.
In addition to that, the examples will show that the user also has the ability to change these configurations, which, in this case, is "tenant name".
User1 Tests
OAUTH Login
Before using the service APIs, a user must be authenticated to the service. Each of the three users has a password. The first step would be to login to OAUTH with a user, and receiving an access token. This access token must be attached to each request.
...
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X GET -H "key: 4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" -H "access_token: a188a7fcb411a05159aaf4c97e7321eb77fb0f66" "http://127.0.0.1:4000/urac/account/getUser?username=user1"
|
...
The next request tries to use the "buildName" API with the tenant key, and the authentication key of user1. The table above clearly states that this user does not have access to this API. Therefore, the corresponding response must generate an error, stating that the user is forbidden from using the "buidName" API.
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:4000/example03/buildName?lastName=Smith" -H "soajsauth:Basic c29hanM6czAxclV4WlRGbXdvS2VtOG1rTERGZW9ocDUwSzFYdDZaaUg=&access_token=a188a7fcb411a05159aaf4c97e7321eb77fb0f66" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
...
| Code Block |
|---|
| language | js |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":false,"errors":{"codes":[135154],"details":[{"code":135154,"message":"ErrorAccess occurreddenied: while redirecting your request to the serviceThe service is not available in your current package."}]}} |
If we look at the terminal that is running the service "example03controller", we will see a more in-depth error message:
| Code Block |
|---|
|
(/opt/soajs/node_modules/soajs/servers/servicecontroller.js:667415 in logErrors): Access denied: The service is not available in your current package. |
User2 Tests
URAC OAUTH Login
Similar to user1, the example below accesses the URAC OAUTH service with the user2 account, in order to receive an authentication key.
...
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
...
access token.
Before using the service APIs, a user must be authenticated to the service. Each of the three users has a password. The first step would be to login to OAUTH with a user, and receiving an access token. This access token must be attached to each request.
| Code Block |
|---|
| language | bash |
|---|
| title | Get the authorization key |
|---|
| linenumbers | true |
|---|
|
curl -X GET -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/urac/login" -d "username=user2&password=123456" |
...
The key in the request above is the tenant key.
| Code Block |
|---|
| language | jsbash |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"_id":"54ee46e7a8643c4d10a61ba3","username":"user2","firstName":"user","lastName":"two","email":"user2@domain.com","ts":1480679707835,"status":"active","profile":{},"groups":["silver"],"tenant":{"id":"54ee2150b7a669fc22b7f6b9","code":"TNT1"},"config":{},"groupsConfig":[]"Basic MTBkMmNiNWZjMDRjZTUxZTA2MDAwMDAxOnNoaGggdGhpcyBpcyBhIHNlY3JldA=="} |
| Code Block |
|---|
| language | bash |
|---|
| title | Get the access token using the authorization key |
|---|
| linenumbers | true |
|---|
|
curl -X POST -H "Authorization:Basic MTBkMmNiNWZjMDRjZTUxZTA2MDAwMDAxOnNoaGggdGhpcyBpcyBhIHNlY3JldA==" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/oauth/token" -d "username=user2&password=123456&grant_type=password" |
| Code Block |
|---|
| language | bash |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"token_type":"bearer","access_token":"a188a7fcb411a05159aaf4c97e7321eb77fb0f66","expires_in":7200,"refresh_token":"9e67bd8055e953240eaf91daabe7ecdc206f941b"} |
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X GET -H "key: 4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/urac/account/getUser?username=user2"
|
The service replies with the corresponding authentication key
| Code Block |
|---|
| language | js |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"_id":"54ee46e7a8643c4d10a61ba3","username":"user2","firstName":"user","lastName":"two","email":"user2@domain.com","ts":1500998208596,"status":"active","profile":{},"groups":["silver"],"tenant":{"id":"54ee2150b7a669fc22b7f6b9","code":"TNT1"},"config":{"packages":{"PROD1_PCK1":{"acl":{"urac":{},"example03":{},"example04":{}}}},"keys":{"41eb3256ce660a891205d0a0eca19421":{"config":{"example03":{"tenantName":"Tenant name specific to user two"},"example04":{"tenantName":"Tenant name specific to user two"}}},"19c03e42c750467c3f8481fbe26f2fef":{}}}},"soajsauth":"Basic c29hanM6QzAyMmd5TTU0enplWW1oTHdXMjV5ZGdGb3B1VUthSWZ3b0s="} |
buildName API with user2
The next request tries to use the "buildName" API with the tenant key, and the authentication key of user2. The table above clearly states that this user does have access to this API. Therefore, the corresponding response must generate a response containing the appropriate answer for the user's query.
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:4000/example03/buildName?lastName=Smith&access_token=a188a7fcb411a05159aaf4c97e7321eb77fb0f66" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
The response below shows that user2 was able to access the "buildName" API since the user overrides the ACL of package1. Moreover, we notice that the tenant name was changed.
| Code Block |
|---|
| language | js |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"tenantName":"Client One","fullName":"John Smith"},"soajsauth":"Basic c29hanM6QzAxWWNjUzJaSEpYenhBd0J5MDAzZG5RZ1BOdXFFd0d4UmM="} |
testGet API with user2
Next, the request aims to use the "testGet" API with user2, that has access to the API, as shown in the table above.
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:4000/example03/testGet?firstName=John&lastName=Smith&access_token=a188a7fcb411a05159aaf4c97e7321eb77fb0f66" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
The corresponding response prove the above statement. User2 overrode the package ACL and obtained full access to the service's APIs
| Code Block |
|---|
| language | js |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"firstName":"John","lastName":"Smith"},"soajsauth":"Basic c29hanM6QzAyWWNjQXdaSDBYSnhTMkJ5ejAzZG5RZ1BOdXFFd0d4UmM="} |
...
User3 Tests
OAUTH Login
The next following request tries to use the "buildName" API with the tenant key, and the authentication key of user1. The table above clearly states thatthis user does have access to this API. Therefore, the corresponding response must generate a response containing the appropriate answer for the user's querylogs in to OAUTH using user3.
| Code Block |
|---|
| language | bash |
|---|
| title | RequestGet the authorization key |
|---|
| linenumbers | true |
|---|
|
curl -X GET -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/example03/buildName?lastName=Smith" -H "soajsauth:Basic c29hanM6QzAyWWNjQXdaSDBYSnhTMkJ5ejAzZG5RZ1BOdXFFd0d4UmM=" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
...
The key in the request above is the tenant key.
| Code Block |
|---|
| language | jsbash |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"tenantName":"Client One","fullName":"John Smith"},"soajsauth":"Basic c29hanM6QzAxWWNjUzJaSEpYenhBd0J5MDAzZG5RZ1BOdXFFd0d4UmMMTBkMmNiNWZjMDRjZTUxZTA2MDAwMDAxOnNoaGggdGhpcyBpcyBhIHNlY3JldA=="} |
testGet API with user2
Next, the request aims to use the "testGet" API with user2, that has access to the API, as shown in the table above.
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| | title | Get the access token using the authorization key |
|---|
| linenumbers | true |
|---|
|
curl -X GET POST -H "Authorization:Basic MTBkMmNiNWZjMDRjZTUxZTA2MDAwMDAxOnNoaGggdGhpcyBpcyBhIHNlY3JldA==" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/example03/testGet?firstName=John&lastName=Smithoauth/token" -Hd "soajsauth:Basic c29hanM6QzAzWWNjQTJCSDBYenhKd1p5UzAzZG5RZ1BOdXFFd0d4UmM=" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
...
username=user3&password=654321&grant_type=password" |
| Code Block |
|---|
| language | jsbash |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"resulttoken_type":true,"databearer":{"firstName,"access_token":"John06ff4ec503f9ecd91af42cf8d324e65b5c780645","lastNameexpires_in":"Smith"}7200,"soajsauthrefresh_token":"Basic c29hanM6QzAyWWNjQXdaSDBYSnhTMkJ5ejAzZG5RZ1BOdXFFd0d4UmM=5479fa9d6fd049111c490229e7713e77e794ee41"} |
User3 Tests
...
The following request logs in to URAC using user3.
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X POSTGET -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" "http://127.0.0.1:4000/urac/login" -d "/account/getUser?username=user3&password=654321" |
The response below contains the authentication key of user3.
| Code Block |
|---|
| language | js |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"_id":"54ee1bf91856706c2363930a","username":"user3","firstName":"user","lastName":"three","email":"user3@domain.com","ts":14806797078351500998208597,"status":"active","profile":{},"groups":["gold","silver","customer"],"tenant":{"id":"54ee2150b7a669fc22b7f6b9","code":"TNT1"},":"TNT1"},"config":{"packages":{"PROD1_PCK1":{"acl":{"urac":{},"example03":{},"example04":{}}}},"keys":{"19c03e42c750467c3f8481fbe26f2fef":{"config":{},"groupsConfigexample03":[]},"soajsauth{"tenantName":"Basic c29hanM6QzAxaV9KRk5ZYU5VbHZCcC1QOEVoWHFKVjIxdzNyNFlVWF8="} |
buildName API with user3
User3 overrides the tenant, and has access to the "buildName" API. as can be seen in the response below.
| Code Block |
|---|
| language | bash |
|---|
| title | Request |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:4000/example03/buildName?lastName=Smith" -H "soajsauth:Basic c29hanM6QzAxaV9KRk5ZYU5VbHZCcC1QOEVoWHFKVjIxdzNyNFlVWF8=" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
...
Tenant name specific to user three"},"example04":{"tenantName":"Tenant name specific to user three"}},"acl":{"urac":{},"example04":{},"example03":{"apisPermission":"restricted","apis":{"/buildName":{}}}}}}}},"soajsauth":"Basic c29hanM6QzAxNl9pUFltUUtkdnFsck5ZSmFoMG1mMmVEZzZ0SXkxaTU="} |
buildName API with user3
User3 overrides the tenant, and has access to the "buildName" API. as can be seen in the response below.
| Code Block |
|---|
| language | jsbash |
|---|
| title | Response |
|---|
| linenumbers | true |
|---|
|
{"result":true,"data":{"tenantName":"Tenant name specific to user three","fullName":"John Smith"},"soajsauth":"Basic c29hanM6QzAxaV9KRk5ZYU5VbHZCcC1QOEVoWHFKVjIxdzNyNFlVWF8="} |
testGet API with user3
...
|
curl -X GET "http://127.0.0.1:4000/example03/buildName?lastName=Smith&access_token=06ff4ec503f9ecd91af42cf8d324e65b5c780645" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
User3 was also able to change the name of the tenant.
| Code Block |
|---|
| language | bashjs |
|---|
| title | RequestResponse |
|---|
| linenumbers | true |
|---|
|
curl -X GET "http://127.0.0.1:4000/example03/testGet?lastName=Smith" -H "soajsauth:Basic c29hanM6QzAxaV9KRk5ZYU5VbHZCcC1QOEVoWHFKVjIxdzNyNFlVWF8=" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
...
{"result":true,"data":{"tenantName":"Tenant name specific to user three","fullName":"John Smith"},"soajsauth":"Basic c29hanM6QzAxaV9KRk5ZYU5VbHZCcC1QOEVoWHFKVjIxdzNyNFlVWF8="} |
testGet API with user3
However, the ACL corresponding to this user prohibits it from using the "testGet" API.
| Code Block |
|---|
| language | jsbash |
|---|
| title | ResponseRequest |
|---|
| linenumbers | true |
|---|
|
{"result":false,"errors":{"codes":[135],"details":[{"code":135,"message":"Error occurred while redirecting your request to the service"}]}}curl -X GET "http://127.0.0.1:4000/example03/testGet?lastName=Smith&access_token=06ff4ec503f9ecd91af42cf8d324e65b5c780645" -H "key:4232477ed993d167ec13ccf8836c29c400fef7eb3d175b1f2192b82ebef6fb2d129cdd25fe23c04f856157184e11f7f57b65759191908cb5c664df136c7ad16a56a5917fdeabfc97c92a1f199e457e31f2450a810769ff1b29269bcb3f01e3d2" |
The response proves that user3 does not have access to the "testGet" API.
If we look at the terminal that is running the service "example03controller", we will see a more in-depth error message:
| Code Block |
|---|
|
(/opt/soajs/node_modules/soajs/servers/service.js:667415 in logErrors): System api access is restricted. api is not in provision. |
...