-
Notifications
You must be signed in to change notification settings - Fork 177
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Split auth_proxy routes out into auth_proxy.raml, updated Dockerfile …
…to rely on bindmounts rather than copying in files, changed protocol to https Signed-off-by: Bill Robinson <dseevr@users.noreply.github.com>
- Loading branch information
Showing
14 changed files
with
539 additions
and
931 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,6 @@ | ||
| all: docs | ||
|
|
||
| docs: | ||
| @./build.sh | ||
| @bash ./build.sh | ||
|
|
||
| .PHONY: docs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,96 @@ | ||
| #%RAML 1.0 | ||
| title: Contiv | ||
| description: Contiv API Specification | ||
| version: v1 | ||
| baseUri: | ||
| value: https://{serverfqdn}:10000/api/{version} | ||
| (rediractable): true | ||
| baseUriParameters: | ||
| serverfqdn: | ||
| type: string | ||
| protocols: [ HTTPS ] | ||
| mediaType: [ application/json ] | ||
|
|
||
| resourceTypes: | ||
| collection: !include contiv/schemas/collection.raml | ||
| non-upd-collection-item: !include contiv/schemas/non-upd-collection-item.raml | ||
| collection-item: !include contiv/schemas/collection-item.raml | ||
| ro-collection-item: !include contiv/schemas/ro-collection-item.raml | ||
|
|
||
| annotationTypes: | ||
| info: | ||
| properties: | ||
| license: | ||
| type: string | ||
| enum: [ "Apache 2.0" ] | ||
| allowedTargets: API | ||
| rediractable: boolean | ||
|
|
||
| securitySchemes: | ||
| custom_scheme: !include contiv/schemas/custom-scheme.raml | ||
|
|
||
| # Resource templates | ||
| uses: | ||
| auth_proxy: contiv/libraries/auth_proxy.raml | ||
|
|
||
| securedBy: custom_scheme | ||
|
|
||
| # auth_proxy endpoints | ||
| /auth_proxy: | ||
| displayName: Auth API | ||
| description: Authentication/Authorization related API | ||
|
|
||
| /health: | ||
| get: | ||
| securedBy: [ null ] | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: auth_proxy.health | ||
|
|
||
| /login: | ||
| post: | ||
| description: Login to Contiv API server | ||
| securedBy: [ null ] | ||
| body: | ||
| application/json: | ||
| type: auth_proxy.login | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: auth_proxy.login_response | ||
| 400: | ||
| 401: | ||
|
|
||
| /version: | ||
| get: | ||
| securedBy: [ null ] | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | | ||
| { "version": "1.0.0-beta" } | ||
| /authorizations: | ||
| type: {collection: {provider: auth_proxy}} | ||
| displayName: Authorizations | ||
|
|
||
| /{authzUUID}: | ||
| type: {non-upd-collection-item: {provider: auth_proxy}} | ||
| displayName: Authorization | ||
|
|
||
| /local_users: | ||
| type: {collection: {provider: auth_proxy}} | ||
| displayName: Local Users | ||
|
|
||
| /{username}: | ||
| type: {collection-item: {provider: auth_proxy}} | ||
| displayName: Local User | ||
| put: | ||
|
|
||
| /ldap_configuration: | ||
| type: {collection-item: {provider: auth_proxy}} | ||
| displayName: LDAP Configuration | ||
| put: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| #%RAML 1.0 Library | ||
| types: | ||
| health: | ||
| properties: | ||
| status: | ||
| enum: [ "healthy", "unhealthy" ] | ||
| version: string | ||
| netmaster: | ||
| properties: | ||
| status: | ||
| enum: [ "healthy", "unhealthy" ] | ||
| reason: | ||
| type: string | ||
| required: false | ||
| description: reason for netmaster being unhealthy | ||
| version: | ||
| type: string | ||
| required: false | ||
| description: omitted in case netmaster is unhealthy | ||
| example: | | ||
| {"netmaster":{"status":"healthy","version":"pv1.0.0-alpha-01-27-2017.23-16-47.UTC"},"status":"healthy","version":"1.0.0-alpha"} | ||
| ldap_configuration: | ||
| properties: | ||
| server: | ||
| type: string | ||
| description: FQDN or IP address of AD server | ||
| example: auth.local.com | ||
| port: | ||
| type: integer | ||
| format: int16 | ||
| minimum: 0 | ||
| description: port where AD server is listening | ||
| example: 389 | ||
| base_dn: | ||
| type: string | ||
| description: Distinguished name for base entity. All search queries will be scope to this BaseDN | ||
| example: ou=eng,dc=auth,dc=com | ||
| service_account_dn: | ||
| type: string | ||
| description: DN of the service account. auth_proxy will use this account to communicate with AD server. Hence this account must have appropriate privileges, specifically for lookup. | ||
| service_account_password: | ||
| type: string | ||
| start_tls: | ||
| type: boolean | ||
| description: switch session to TLS after proxy connects to AD server. This option must be configured on AD server. Recommended to set to true in production environments. | ||
| insecure_skip_verify: | ||
| type: boolean | ||
| description: skip cert check on AD server. Recommended to set to false for production environments. | ||
| upd_ldap_configuration: | ||
| type: ldap_configuration | ||
|
|
||
|
|
||
| local_user: | ||
| properties: | ||
| username: string | ||
| password: string | ||
| firstname: | ||
| type: string | ||
| example: John | ||
| required: false | ||
| lastname: | ||
| type: string | ||
| example: Doe | ||
| required: false | ||
| disable: | ||
| type: boolean | ||
| required: false | ||
| example: | ||
| username: johndoe | ||
| password: p@ssw0rd | ||
| upd_local_user: | ||
| properties: | ||
| firstname: | ||
| type: string | ||
| required: false | ||
| lastname: | ||
| type: string | ||
| required: false | ||
| disable: | ||
| type: boolean | ||
| required: false | ||
| password: | ||
| type: string | ||
| required: false | ||
| example: | ||
| firstname: Jane | ||
| disable: true | ||
| local_users: | ||
| type: array | ||
| items: | ||
| type: local_user | ||
|
|
||
| login: | ||
| properties: | ||
| username: | ||
| type: string | ||
| description: user name. If a local user doesn't exist by that name, AD authentication will be tried using sAMAccountName=username in BaseDN scope of the AD server (see ldap configuration for more details) | ||
| password: string | ||
| example: | ||
| username: johndoe | ||
| password: p@ssw0rd | ||
| login_response: | ||
| properties: | ||
| token: | ||
| type: string | ||
| description: opaque token string, callers should set custom security header to this token before calling further APIs (see security information for protected APIs) | ||
|
|
||
|
|
||
| authorization: | ||
| properties: | ||
| principalName: string | ||
| local: boolean | ||
| role: string | ||
| tenantName: string | ||
| example: | ||
| principalName: johndoe | ||
| local: true | ||
| role: ops | ||
| tenantName: johnstenant | ||
| upd_authorization: | ||
| type: authorization | ||
| authorizations: | ||
| type: array | ||
| items: | ||
| type: authorization |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #%RAML 1.0 ResourceType | ||
| description: Entity representing <<resourcePathName|!singularize>> | ||
| get: | ||
| description: returns <<resourcePathName|!singularize>>. | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.<<resourcePathName|!singularize>> | ||
| 404: | ||
| body: | ||
| application/json: | | ||
| {"message": "<<resourcePathName|!singularize>> not found" } | ||
| delete: | ||
| description: deletes <<resourcePathName|!singularize>>. | ||
| responses: | ||
| 204: | ||
| put?: | ||
| description: updates/creates <<resourcePathName|!singularize>> | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.upd_<<resourcePathName|!singularize>> | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.<<resourcePathName|!singularize>> | ||
| 404: | ||
| body: | ||
| application/json: | | ||
| {"message": "<<resourcePathName|!singularize>> not found" } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| #%RAML 1.0 ResourceType | ||
| description: A collection of <<resourcePathName>> | ||
| get: | ||
| description: returns a list of <<resourcePathName|!singularize>>. | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.<<resourcePathName>> | ||
| post: | ||
| description: Add a new <<resourcePathName|!singularize>>. | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.<<resourcePathName|!singularize>> | ||
| responses: | ||
| 201: | ||
| 404: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| #%RAML 1.0 SecurityScheme | ||
|
|
||
| description: | | ||
| A custom security scheme for authenticating requests. | ||
| type: x-custom | ||
| describedBy: | ||
| headers: | ||
| X-Auth-Token: | ||
| description: | | ||
| Used to send a custom token. Obtained via /login API. | ||
| type: string | ||
| responses: | ||
| 401: | ||
| description: | | ||
| Authentication failed. | ||
| 403: | ||
| description: | | ||
| Forbidden. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| #%RAML 1.0 ResourceType | ||
| description: Entity representing <<resourcePathName|!singularize>> | ||
| get: | ||
| description: returns <<resourcePathName|!singularize>>. | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.<<resourcePathName|!singularize>> | ||
| 404: | ||
| body: | ||
| application/json: | | ||
| {"message": "<<resourcePathName|!singularize>> not found" } | ||
| delete: | ||
| description: deletes <<resourcePathName|!singularize>>. | ||
| responses: | ||
| 204: | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| #%RAML 1.0 ResourceType | ||
| description: Entity representing <<resourcePathName|!singularize>> | ||
| get: | ||
| description: returns <<resourcePathName|!singularize>>. | ||
| responses: | ||
| 200: | ||
| body: | ||
| application/json: | ||
| type: <<provider>>.inspect_<<resourcePathName|!singularize>> | ||
| 404: | ||
| body: | ||
| application/json: | | ||
| {"message": "<<resourcePathName|!singularize>> not found" } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.