# Emergency Access Authorization Service This is a binary to start a server used in the Emergency Access system to authorize Remote CLI users. The service communicates with `ea-ws`, `ea-rulesengine` and `ea-userservice`, and is expected to run in a kube cluster. The libraries used to build up the source code can be found under `pkg/sds/emergencyaccess/authservice`. - [Emergency Access Authorization Service](#emergency-access-authorization-service) - [Database](#database) - [Authorization](#authorization) - [Endpoints](#endpoints) - [Authorize Command](#authorize-command) - [Authorize Request](#authorize-request) - [Authorize Target](#authorize-target) - [Resolve Target](#resolve-target) - [Authorize User](#authorize-user) ## Database Authservice requires a connection to the postgres database to authorize session details. It is possible to connect to a local DB instance or a GCP Cloud SQL instance. Connection details are set via environment variables or command line flags. To connect to the GCP Cloud SQL instance the instance connection name `DATABASE_CONNECTION_NAME`, the username of the GCP service account or user `DATABASE_USERNAME`, and database name `DATABASE_NAME` is required. To connect to a local instance the database hostname and port `DATABASE_HOST` and `DATABASE_PORT`, the user to connect with `DATABASE_USERNAME` and `DATABASE_PASSWORD`, as well as the `DATABASE_NAME` is required. ## Authorization Authservice is expected to be deployed behind the [auth-proxy](../../../edge/auth-proxy/server.go) which will do all user authentication for emergencyaccess. Only user authorization is done within the emergencyaccess services Authservice requires a set of authentication headers on all incoming http requests to identify the pre-authenticated user. The following table documents the required headers: | Header | Type | Multi-Valued | Details | | ----------------- | ------ | ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `X-Auth-Username` | string | false | The value of this header indicates the unique username of the user attempting to connect. This value must not be empty. | | `X-Auth-Email` | string | false | The email address of the user attempting to connect. This value must not be empty. | | `X-Auth-Roles` | string | true | This header contains the Edge Roles that have been assigned to the user. | | `X-Auth-Banners` | string | true | This header contains all of the banners that the user is allowed to access. If a user is an Org Viewer or Admin, this header must include all banners within the org, not only those the user has been assigned. | Multi-Valued indicates the header allows setting multiple values. This can be done by specifying the header multiple times, with one value per header, e.g. ``` X-Auth-Roles: role1 X-Auth-Roles: role2 ``` # Endpoints ## Authorize Command Returns a valid response with status 200 if the command is permitted according to the rules engine. __URI__: `/authorizeCommand` __Method__ : `POST` __Request__: ```json { "command":"somecommand", "target": { "bannerID":"a-banner-id" } "authDetails":{ "darkmode":true/false } } ``` __Response__: ```json { "valid":true } ``` __Error codes__: code | error -|- 200 | ok 400 | bad request (60201,60202) 403 | forbidden (60003) 500 | internal server error ## Authorize Request Returns a valid structured request response with status 200 if the request is valid and permitted according to the rules engine. __URI__: `/authorizeRequest` __Method__ : `POST` __Request__: ```json { "request": { "data": { /* request message data - structured differently depending on message version */ }, "attributes": { "version": "1.0", "type": "" } }, "target": { "projectID": "projectID", "bannerID": "bannerID", "storeID": "storeID", "terminalID": "terminalID" } } ``` __Response__: ```json { "request": { "data": { /* request message data - structured differently depending on message version */ }, "attributes": { "version": "1.0", "type": "", "bannerId": "bannerID", "storeId": "storeID", "terminalId": "terminalID", "identity": "username } } } ``` __Error codes__: | code | error | | - | - | | 200 | ok | | 400 | bad request (60201,60202) | | 403 | forbidden (60003, 62001) | | 500 | internal server error | ## Authorize Target Returns a 200 OK with no response if permitted. 403 if unauthorized. __URI__: `/authorizeTarget` __Header__: see Authentication header in eagateway README. __Method__ : `POST` __Request__: ```json { "target": { "projectid": "a-project-id", "bannerid": "a-banner-id", "storeid": "a-store-id", "terminalid": "a-terminal-id" } } ``` __Error codes__: code | error -|- 200 | ok 400 | bad request (60201) 403 | forbidden (60003) 500 | internal server error ## Resolve Target Verifies the existence of a given target (without a project ID) and returns a 200 code and the resolved target ID details if successful. __URI__: `/resolveTarget` __Method__ : `POST` __Request__: ```json { "target": { "bannerid": "a-banner-id-or-name", "storeid": "a-store-id-or-name", "terminalid": "a-terminal-id-or-name" } } ``` __RESPONSE__: ```json { "target": { "projectid": "a-project-id", "bannerid": "a-banner-id", "storeid": "a-store-id", "terminalid": "a-terminal-id" } } ``` __Error codes__: code | error | cause -|-|- 200 | ok | Target resolved 400 | bad request | Target not resolved: Invalid payload structure (60201), invalid payload properties (60202), target details not found (61202) 500 | internal server error | Server Error (60101) ## Authorize User Verifies the User is authorized by confirming the user is assigned at least 1 emergency access privilege. __URI__: `/authorizeUser` __Method__ : `POST` __Request__: Empty Request __RESPONSE__: Empty Response __Error codes__: | code | error | cause | | ---- | --------------------- | -------------------- | | 200 | ok | User authorized | | 403 | forbidden | User not authorized | | 500 | internal server error | Server Error (60101) |