@restorecommerce/acs-client
Advanced tools
Features:
access-control-srv when requesting access to a particular resource with a specific action on it.access-control-srv.whatIsAllowed requests.isAllowed and whatIsAllowed request operations using redis.The access-control-srv URN configurations needs to be set using authorization configuration to acs-client from access requesting microservice.
The URN for role scoping entity for Organization/ business units should be set using configuration property authorization.urns.orgScope.
orgScope: 'urn:<organization>:acs:model:<Entity_Name>'
ex: orgScope: 'urn:restorecommerce:acs:model:organization.Organization'
The applicable policies / rules can be enforced on the request using enforce configuration.
The cache configurations for redis can be set using authorization:cache configuration.
The client exposes the following api's:
accessRequestIt turns an API request as can be found in typical Web frameworks like express, koa etc. into a proper ACS request. For write operations it uses isAllowed and for read operations it uses whatIsAllowed operation from access-control-srv.
Requests are performed providing Request message as input and response is Response message type. For the read operations it extends the filter provided in the ReadRequst of the input message to enforce the applicapble poilicies. The response is Decision or policy set reverse query PolicySetRQ depending on the requeste operation isAllowed() or whatIsAllowed() respectively.
Request
| Field | Type | Label | Description |
|---|---|---|---|
| action | Enum | required | action to be performed on the resource (CREATE, READ, MODIFY, DELETE or ALL) |
| request | Resource or Resource [ ] or ReadRequest | required | list of target resources or read request |
| ctx | Context | required | context containing user details (ID and role-associations) |
Response
| Field | Type | Label | Description |
|---|---|---|---|
| Decision | Decision | optional | Access decision; possible values are PERMIT, DENY or INDETERMINATE |
| PolicySetRQ | PolicySetRQ [ ] | optional | List of applicable policy sets |
Resource
| Field | Type | Label | Description |
|---|---|---|---|
| type | string | requried | resource entity name |
| fields | string [ ] | optional | list of fields for accessing or modifying resource |
| instance | string | optional | instance identifier of the resource |
| namespace | string | optional | namespace prefix for resource entity |
ReadRequest
| Field | Type | Label | Description |
|---|---|---|---|
| entity | string | requried | resource entity name to be read |
| args | io.restorecommerce.resourcebase.ReadRequest | optional | query arguments |
| database | string | optional | database for read request, currently arangodb and postgres are supported |
| namespace | string | optional | namespace prefix for resource entity |
Decision
| Field | Type | Label | Description |
|---|---|---|---|
| decision | io.restorecommerce.access_control.Decision | required | Access decision; possible values are PERMIT, DENY or INDETERMINATE |
PolicySetRQ
| Field | Type | Label | Description |
|---|---|---|---|
| policy_sets | [ ] io.restorecommerce.policy_set.PolicySetRQ | required | List of applicable policy sets |
isAllowedThis API exposes the isAllowed api of access-control-srv and retruns the response as Decision.
Requests are performed providing io.restorecommerce.access_control.Request message as input and response is io.restorecommerce.access_control.Response message.
whatIsAllowedThis API exposes the isAllowed api of access-control-srv and retruns the response as Decision. Requests are performed providing io.restorecommerce.access_control.Request message as input and response is io.restorecommerce.access_control.ReverseQuery message.
flushCacheThis API flushes the ACS cache from redis. An optional prefix key can be provided to flush instead of entire cache.
This client supports caching for isAllowed and whatIsAllowed access request operations if authorization:cache options are set. The time to live for redis key can be set using authorization:cache:ttl configuration. The hash key for caching the request is generated using MD5 hash algorithm.
For whatIsAllowed operations Request Object is used to generate the hash key and for isAllowed operations io.restorecommerce.access_control.Target Object is used since the resource data changes.
Each of the ACS request is associated with an ID of subject, this subject ID is included in the hash key as prefix to keep track of mapping between ACS requests and cached data.
The cache can be invalidated by invoking flushCache api with subject ID as prefix parameter.
For a simple example on how to use this client with a access-control-srv check the test cases.
npm run test
npm install
# compile the code
npm run build
FAQs
Access Control Service Client
The npm package @restorecommerce/acs-client receives a total of 370 weekly downloads. As such, @restorecommerce/acs-client popularity was classified as not popular.
We found that @restorecommerce/acs-client demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.