Atrix ACL
Atrix plugin providing Access Control Lists to requests to specific routes.
Compatibility
atrix-acl >= 4.0.0
work with artix >= 6.0.0
.
For versin compatible with atrix < 6.0.0
checkouot v3
branch
Configuration
Sample Configuration:
acl: {
aclDefinition: path.join(__dirname, './acls'),
allowInject: true,
tokenResourceAccessRoleKey: 'pathfinder-app',
endpoints: [
'^(?!(/alive|/reset))',
],
}
- aclDefinition - path to the aclDefinition file, should return a method which returns an array of ACLs
- allowInject - allow hapi-inject routes, without applying ACLs
- tokenResourceAccessRoleKey - name of the default app in the JWT-token
- endpoints - endpoints which should be ignored
ACL Definitions
Example:
{ role: 'admin', path: '/*a', method: '*' }
Allow user with role admin to access all paths with all methods
{ role: 'editor1', path: '/pets/:petId', method: 'put' }
Allow user with role editor1 access to path /pets/:petId with PUT method
{ userId: '242', path: '/pets/123', method: 'get' }
Allow user with userId 242 access to specific resource path /pets/123 with GET method
{ userId: '242', transition: 'cancel:speaker', method: '*' }
Allow user with userId 242 to perform transition 'cancel:speaker'
{ userId: '242', transition: 'cancel:(*_)', method: '*' }
Allow user with userId 242 to perform any transition starting with 'cancel:'
The AtrixACL uses route-parser npm package, to test incoming paths against the defined routes (similar to Hapi route definition).
Rules / Token
The user role is extracted from the JWToken via the authorization header. The AtrixACL plugin assumes the following format of a token:
credentials: {
preferred_username: "john.doe",
email: "john.doe@test.com",
name: "John Doe",
resource_access: {
voegb: { roles: ['admin'] },
ak: { roles: ['admin'] },
'pathfinder-app': { roles: ['super-admin'] },
}
}
Given a configuration with the tokenResourceAccessRoleKey set to pathfinder-app, the AtrixACL uses this value as the default-role for the user (in the example above: 'super-admin')
If a x-pathfinder-tenant-ids header field is present, all the corresponding (tenant-specific) roles are extracted from the token and also tested agains the ACLs.
Requests
The AtrixACL plugin hooks into two handlers of the hapi request-lifecycle:
- onPreHandler
- onPreResponse
onPreHandler
The plugins checks if the current user/role has access to the requested route. If not, it returns status-code 401. The options allowInject and endpoints are taken into consideration.
onPreResponse
The plugins checks if a _links object is present in the response (or, if response-body is an array, in every item of the array) and manipulates the response-body. If present, every link/href in the hatr-links object is tested agains the ACLs and set to false, if the user/role has no access to a specific action/transition.