Ack, will do that. On Fri, Aug 16, 2019 at 12:16 AM Harsha Kumara <[email protected]> wrote:
> @Vithursa Mahendrarajah <[email protected]> Once you implement, let's add > several test cases with special characters, secondary user store roles and > etc. > > On Thu, Aug 15, 2019 at 4:16 PM Vithursa Mahendrarajah <[email protected]> > wrote: > >> Hi all, >> >> Thanks for the suggestions. As per the suggestions, we have decided to go >> with HEAD request option. As mentioned earlier in this thread, following >> are the scenarios where role validation is required: >> >> 1. API Design phase - >> - Publisher access control - check whether the role exists and the >> logged-in user has the role >> - Store visibility - check whether the role exists or not >> 2. API Manage phase - when adding new scope - check whether the role >> exists or not >> >> We have decided to add the OAuth2 scope as apim:api_create as these >> functionalities are used by API creator. >> >> As per the offline discussion had with @Malintha Amarasinghe >> <[email protected]> and @Kasun Thennakoon <[email protected]>, when >> checking whether the logged-in user has particular role, claims in ID token >> stored in browser local storage could be used. By considering the >> possibility of manipulating the ID token in local storage, complexity in >> handling when using secondary userstore and the security concerns in >> exposing roles assigned to particular user, we have decided to introduce >> another REST API to check whether the logged-in user has the given role as >> this would be more cleaner. >> >> Please find the REST API definition as follows: >> >> ###################################################### >> # The Role Name Existence >> ###################################################### >> /roles/{roleName}: >> #----------------------------------------------------- >> # The role name existence check resource >> #----------------------------------------------------- >> head: >> security: >> - OAuth2Security: >> - apim:api_create >> summary: >> Check given role name already exists >> description: >> Using this operation, to check whether given role already exists >> parameters: >> - $ref : '#/parameters/roleName' >> responses: >> 200: >> description: >> OK. >> Requested role name is returned. >> 404: >> description: >> Not Found. >> Requested role name does not exist. >> >> ###################################################### >> # The Role Name Existence for the logged-in user >> ###################################################### >> /me/roles/{roleName}: >> #----------------------------------------------------- >> # Validate role against a user >> #----------------------------------------------------- >> head: >> security: >> - OAuth2Security: >> - apim:api_create >> summary: >> Validate whether the logged-in user has the given role >> description: >> Using this operation, logged-in user can check whether he has given >> role. >> parameters: >> - $ref : '#/parameters/roleName' >> responses: >> 200: >> description: >> OK. >> Logged-in user has the role. >> 404: >> description: >> Not Found. >> Logged-in user does not have the role. >> >> Appreciate any feedback on this. >> >> Thanks, >> Vithursa >> >> On Thu, Aug 15, 2019 at 11:35 AM Naduni Pamudika <[email protected]> wrote: >> >>> +Vithursa Mahendrarajah <[email protected]> >>> >>> On Mon, Aug 12, 2019 at 5:26 PM Sanjeewa Malalgoda <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On Thu, Aug 8, 2019 at 9:08 PM Malintha Amarasinghe <[email protected]> >>>> wrote: >>>> >>>>> When we return a 404, it implies that the URL (or the resource) does >>>>> not exist. Here the URL/resource is */validate-role *(a controller >>>>> resource) which always exists so it is wrong to return a 404 at any case. >>>>> >>>> Yes agree with this and controller resource(as query params optional >>>> controller resource will be resource) is not ideal for this. >>>> Using head would be good option. Like nirmal mentioned any additional >>>> parameters related to filter criteria can be passed as query parameters. >>>> >>>> Thanks, >>>> sanjeewa/ >>>> >>>>> >>>>> Thanks! >>>>> >>>>> On Thu, Aug 8, 2019 at 7:12 PM Menaka Jayawardena <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi Naduni, >>>>>> >>>>>> Wh the GET request always returns 200? >>>>>> Can't we set the status code 404 if the role is not found? So we can >>>>>> check the response status from the UI. We do not want to read the body >>>>>> then. >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Aug 8, 2019 at 6:05 PM Naduni Pamudika <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> >>>>>>> Thanks all for the suggestions. With the GET method @Bhathiya >>>>>>> Jayasekara <[email protected]> suggested, we have the following 2 >>>>>>> options now. >>>>>>> >>>>>>> 1. *HEAD /roles/{roleName}* >>>>>>> 2. *GET /validate-role?role=rolename* >>>>>>> >>>>>>> >>>>>>> If we go with the option 1, it will simplify the work in the UI side >>>>>>> while doing the role validations by using the Rest API since we can do >>>>>>> the >>>>>>> validation by looking at the status code (If the role exists it is a 200 >>>>>>> and if not it is a 404). If we go with the option 2, it will always >>>>>>> return >>>>>>> a 200 status code and we need to check the response body to validate a >>>>>>> particular role name (We can send *isRoleExist=true* and >>>>>>> *isRoleExist=false* in the response body depending on the existence >>>>>>> of a role name). >>>>>>> >>>>>>> Since most of us are +1 with the option 2, shall we move forward >>>>>>> with the GET method? >>>>>>> >>>>>>> Thanks, >>>>>>> Naduni >>>>>>> >>>>>>> On Wed, Aug 7, 2019 at 7:27 PM Bhathiya Jayasekara < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Aug 7, 2019 at 6:24 PM Malintha Amarasinghe < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Aug 7, 2019 at 3:39 PM Harsha Kumara <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Wed, Aug 7, 2019 at 3:37 PM Malintha Amarasinghe < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Wed, Aug 7, 2019 at 3:35 PM Harsha Kumara <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Let's say if someone wants to check existence of role foo in >>>>>>>>>>>> user store TEST. He will do a call /roke/TEST/foo which isn't >>>>>>>>>>>> valid request >>>>>>>>>>>> right? >>>>>>>>>>>> >>>>>>>>>>> @Harsha Kumara <[email protected]> we need to URL encode the >>>>>>>>>>> role name. The request will become /roles/TEST%2Ffoo >>>>>>>>>>> >>>>>>>>>> Yes that's true. Again some customers might have different >>>>>>>>>> letters in their role names. Might note be a good idea to include as >>>>>>>>>> a path >>>>>>>>>> parameter. >>>>>>>>>> >>>>>>>>> Even if we add as a query param, that will go as part of the URL >>>>>>>>> which might lead to similar issues? We may need to test this for query >>>>>>>>> parameters as well. >>>>>>>>> >>>>>>>>> I preferred the HEAD method due to the simpleness ( only need to >>>>>>>>> respond with 204 or 404 without any payload based on the availability >>>>>>>>> of >>>>>>>>> the role) and RESTfulness (consider a role as a resource and do a >>>>>>>>> fetch on >>>>>>>>> it in the usual way). HEAD is the usual way for checking the >>>>>>>>> existence of a >>>>>>>>> resource. However, we do not have the need for implementing a GET >>>>>>>>> here for >>>>>>>>> now. >>>>>>>>> >>>>>>>> >>>>>>>> This is actually my worry is. I don't think we'll ever have to give >>>>>>>> a /roles/{role} in the publisher APIs. So having a HEAD without a GET >>>>>>>> feels >>>>>>>> strange to me. Maybe it's just me. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Bhathiya >>>>>>>> >>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Wed, Aug 7, 2019 at 3:33 PM Mushthaq Rumy <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Adding [Architecture] >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Aug 7, 2019 at 3:30 PM Mushthaq Rumy < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Since we will be UserStoreManager, this should cover the >>>>>>>>>>>>>> secondary user stores as well. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>>> Mushthaq >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Aug 7, 2019 at 3:28 PM Harsha Kumara < >>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>>> What happen if the role is from secondary user store? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Wed, Aug 7, 2019 at 3:24 PM Naduni Pamudika < >>>>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hi All, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We are planning to add a REST API endpoint to APIM 3.0 >>>>>>>>>>>>>>>> Publisher Rest APIs and the intention is to check the >>>>>>>>>>>>>>>> existence of a >>>>>>>>>>>>>>>> particular role name. This will be used in order to manage >>>>>>>>>>>>>>>> roles when >>>>>>>>>>>>>>>> enabling Publisher Access Control and Store Visibility and >>>>>>>>>>>>>>>> when adding >>>>>>>>>>>>>>>> Scopes. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> The swagger definition for the new endpoint would be as >>>>>>>>>>>>>>>> follows. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ###################################################### >>>>>>>>>>>>>>>> # The Role Name Existence >>>>>>>>>>>>>>>> ###################################################### >>>>>>>>>>>>>>>> /roles/{roleName}: >>>>>>>>>>>>>>>> #----------------------------------------------------- >>>>>>>>>>>>>>>> # The role name existence check resource >>>>>>>>>>>>>>>> #----------------------------------------------------- >>>>>>>>>>>>>>>> head: >>>>>>>>>>>>>>>> security: >>>>>>>>>>>>>>>> - OAuth2Security: >>>>>>>>>>>>>>>> - apim:api_view >>>>>>>>>>>>>>>> summary: | >>>>>>>>>>>>>>>> Check given role name is already exist >>>>>>>>>>>>>>>> description: | >>>>>>>>>>>>>>>> Using this operation, you can check a given >>>>>>>>>>>>>>>> role name is already used. You need to provide the role name >>>>>>>>>>>>>>>> you want to >>>>>>>>>>>>>>>> check. >>>>>>>>>>>>>>>> parameters: >>>>>>>>>>>>>>>> - $ref : '#/parameters/roleName' >>>>>>>>>>>>>>>> responses: >>>>>>>>>>>>>>>> 200: >>>>>>>>>>>>>>>> description: | >>>>>>>>>>>>>>>> OK. >>>>>>>>>>>>>>>> Requested role name is returned. >>>>>>>>>>>>>>>> 404: >>>>>>>>>>>>>>>> description: | >>>>>>>>>>>>>>>> Not Found. >>>>>>>>>>>>>>>> Requested role name does not exist. >>>>>>>>>>>>>>>> ###################################################### >>>>>>>>>>>>>>>> # Role Name >>>>>>>>>>>>>>>> roleName: >>>>>>>>>>>>>>>> name: roleName >>>>>>>>>>>>>>>> in: path >>>>>>>>>>>>>>>> description: | >>>>>>>>>>>>>>>> The role name >>>>>>>>>>>>>>>> required: true >>>>>>>>>>>>>>>> type: string >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> It is a HEAD method (*/roles/{roleName}*) which will >>>>>>>>>>>>>>>> return a 200 status code if the given role name exists and a >>>>>>>>>>>>>>>> 404 status >>>>>>>>>>>>>>>> code if the give role name is not found. Sample requests and >>>>>>>>>>>>>>>> responses are >>>>>>>>>>>>>>>> given below. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request: >>>>>>>>>>>>>>>> HEAD >>>>>>>>>>>>>>>> https://localhost:9443/api/am/publisher/v1.0/roles/valid-role >>>>>>>>>>>>>>>> HTTP/1.1 >>>>>>>>>>>>>>>> Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Response: >>>>>>>>>>>>>>>> HTTP/1.1 200 OK >>>>>>>>>>>>>>>> Connection: keep-alive >>>>>>>>>>>>>>>> Content-Length: 0 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Request: >>>>>>>>>>>>>>>> HEAD >>>>>>>>>>>>>>>> https://localhost:9443/api/am/publisher/v1.0/roles/invalid-role >>>>>>>>>>>>>>>> HTTP/1.1 >>>>>>>>>>>>>>>> Authorization: Bearer ae4eae22-3f65-387b-a171-d37eaa366fa8 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Response: >>>>>>>>>>>>>>>> HTTP/1.1 404 Not Found >>>>>>>>>>>>>>>> Connection: keep-alive >>>>>>>>>>>>>>>> Content-Length: 0 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Are we good to have the endpoint definition as this? >>>>>>>>>>>>>>>> Appreciate your inputs to proceed further. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>>>> Naduni >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> *Naduni Pamudika* | Senior Software Engineer | WSO2 Inc. >>>>>>>>>>>>>>>> (m) +94 (71) 9143658 | (w) +94 (11) 2145345 | (e) >>>>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>>>> [image: http://wso2.com/signature] >>>>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> *Harsha Kumara* >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>>>>>>> Mobile: +94775505618 >>>>>>>>>>>>>>> Email: [email protected] >>>>>>>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>>> >>>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> Mushthaq Rumy >>>>>>>>>>>>> *Senior Software Engineer* >>>>>>>>>>>>> Mobile : +94 (0) 779 492140 >>>>>>>>>>>>> Email : [email protected] >>>>>>>>>>>>> WSO2, Inc.; http://wso2.com/ >>>>>>>>>>>>> lean . enterprise . middleware. >>>>>>>>>>>>> >>>>>>>>>>>>> <http://wso2.com/signature> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> >>>>>>>>>>>> *Harsha Kumara* >>>>>>>>>>>> >>>>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>>>> Mobile: +94775505618 >>>>>>>>>>>> Email: [email protected] >>>>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>>>> >>>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Malintha Amarasinghe >>>>>>>>>>> *WSO2, Inc. - lean | enterprise | middleware* >>>>>>>>>>> http://wso2.com/ >>>>>>>>>>> >>>>>>>>>>> Mobile : +94 712383306 >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Harsha Kumara* >>>>>>>>>> >>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>> Mobile: +94775505618 >>>>>>>>>> Email: [email protected] >>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Malintha Amarasinghe >>>>>>>>> *WSO2, Inc. - lean | enterprise | middleware* >>>>>>>>> http://wso2.com/ >>>>>>>>> >>>>>>>>> Mobile : +94 712383306 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Bhathiya Jayasekara* | Technical Lead | WSO2 Inc. >>>>>>>> (m) +94 71 547 8185 | (e) bhathiya-@t-wso2-d0t-com >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Naduni Pamudika* | Senior Software Engineer | WSO2 Inc. >>>>>>> (m) +94 (71) 9143658 | (w) +94 (11) 2145345 | (e) [email protected] >>>>>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>>>>> >>>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Menaka Jayawardena* >>>>>> Senior Software Engineer | WSO2 Inc. >>>>>> +94 71 350 5470 | +94 76 717 2511 | [email protected] >>>>>> >>>>>> <https://wso2.com/signature> >>>>>> >>>>>> >>>>> >>>>> -- >>>>> Malintha Amarasinghe >>>>> *WSO2, Inc. - lean | enterprise | middleware* >>>>> http://wso2.com/ >>>>> >>>>> Mobile : +94 712383306 >>>>> >>>> >>>> >>>> -- >>>> *Sanjeewa Malalgoda* >>>> Software Architect | Associate Director, Engineering - WSO2 Inc. >>>> (m) +94 712933253 | (e) [email protected] | (b) Blogger >>>> <http://sanjeewamalalgoda.blogspot.com>, Medium >>>> <https://medium.com/@sanjeewa190> >>>> >>>> GET INTEGRATION AGILE <https://wso2.com/signature> >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> *Naduni Pamudika* | Senior Software Engineer | WSO2 Inc. >>> (m) +94 (71) 9143658 | (w) +94 (11) 2145345 | (e) [email protected] >>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>> >>> >> >> -- >> Vithursa Mahendrarajah >> Software Engineer >> WSO2 Inc. - http ://wso2.com >> Mobile : +947*66695643* <+94%2077%20819%201300> >> >> >> * <http://wso2.com/signature> <http://wso2.com/signature> >> <http://wso2.com/signature>* >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Vithursa Mahendrarajah Software Engineer WSO2 Inc. - http ://wso2.com Mobile : +947*66695643* <+94%2077%20819%201300> * <http://wso2.com/signature> <http://wso2.com/signature> <http://wso2.com/signature>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
