Split auth_proxy routes out into auth_proxy.raml, updated Dockerfile to rely on bindmounts rather than copying in files, changed protocol to https

dseevr · dseevr · commit 8cc3dc69a2d0 · 2017-03-23T15:17:38.000-07:00
Signed-off-by: Bill Robinson &lt;dseevr@users.noreply.github.com&gt;
diff --git a/scripts/build.sh b/scripts/build.sh
@@ -17,8 +17,6 @@ mv spec/netmaster.raml ./spec/contiv/libraries/netmaster.raml
 # run the raml2html tool to generate docs under spec/docs
 pushd spec
 make docs
-mkdir -p docs
-mv contiv.html docs/
 popd
 
 # because we have to do some tidying up of the output HTML and it requires some
diff --git a/spec/Dockerfile b/spec/Dockerfile
@@ -2,10 +2,8 @@ FROM node:alpine
 
 RUN npm install -g raml2html
 
-COPY . /contiv
+RUN mkdir /contiv
 
 WORKDIR /contiv
 
-RUN raml2html -i contiv.raml -o contiv.html
-
-ENTRYPOINT ["/bin/sh"]
+ENTRYPOINT ["raml2html"]
diff --git a/spec/Makefile b/spec/Makefile
@@ -1,6 +1,6 @@
 all: docs
 
 docs:
-	@./build.sh
+	@bash ./build.sh
 
 .PHONY: docs
diff --git a/spec/auth_proxy.raml b/spec/auth_proxy.raml
@@ -0,0 +1,96 @@
+#%RAML 1.0
+title: Contiv
+description: Contiv API Specification
+version: v1
+baseUri:
+  value: https://{serverfqdn}:10000/api/{version}
+  (rediractable): true
+baseUriParameters:
+  serverfqdn:
+    type: string
+protocols: [  HTTPS ]
+mediaType: [ application/json ]
+
+resourceTypes:
+  collection: !include contiv/schemas/collection.raml
+  non-upd-collection-item: !include contiv/schemas/non-upd-collection-item.raml
+  collection-item: !include contiv/schemas/collection-item.raml
+  ro-collection-item: !include contiv/schemas/ro-collection-item.raml
+
+annotationTypes:
+  info:
+    properties:
+      license:
+        type: string
+        enum: [ "Apache 2.0" ]
+    allowedTargets: API
+  rediractable: boolean
+
+securitySchemes:
+  custom_scheme: !include contiv/schemas/custom-scheme.raml
+
+# Resource templates
+uses:
+  auth_proxy: contiv/libraries/auth_proxy.raml
+
+securedBy: custom_scheme
+
+# auth_proxy endpoints
+/auth_proxy:
+  displayName: Auth API
+  description: Authentication/Authorization related API
+
+  /health:
+    get:
+      securedBy: [ null ]
+      responses:
+        200:
+          body:
+            application/json:
+              type: auth_proxy.health
+
+  /login:
+    post:
+      description: Login to Contiv API server
+      securedBy: [ null ]
+      body:
+        application/json:
+          type: auth_proxy.login
+      responses:
+        200:
+          body:
+            application/json:
+              type: auth_proxy.login_response
+        400:
+        401:
+
+  /version:
+    get:
+      securedBy: [ null ]
+      responses:
+        200:
+          body:
+            application/json: |
+              { "version": "1.0.0-beta" }
+
+  /authorizations:
+    type: {collection: {provider: auth_proxy}}
+    displayName: Authorizations
+
+    /{authzUUID}:
+      type: {non-upd-collection-item: {provider: auth_proxy}}
+      displayName: Authorization
+
+  /local_users:
+    type: {collection: {provider: auth_proxy}}
+    displayName: Local Users
+
+    /{username}:
+      type: {collection-item: {provider: auth_proxy}}
+      displayName: Local User
+      put:
+
+  /ldap_configuration:
+    type: {collection-item: {provider: auth_proxy}}
+    displayName: LDAP Configuration
+    put:
diff --git a/spec/auth_proxy/libraries/auth_proxy.raml b/spec/auth_proxy/libraries/auth_proxy.raml
@@ -0,0 +1,126 @@
+#%RAML 1.0 Library
+types:
+  health:
+    properties:
+      status:
+        enum: [ "healthy", "unhealthy" ]
+      version: string
+      netmaster:
+        properties:
+          status:
+            enum: [ "healthy", "unhealthy" ]
+          reason: 
+            type: string
+            required: false
+            description: reason for netmaster being unhealthy
+          version: 
+            type: string
+            required: false
+            description: omitted in case netmaster is unhealthy
+    example: |
+      {"netmaster":{"status":"healthy","version":"pv1.0.0-alpha-01-27-2017.23-16-47.UTC"},"status":"healthy","version":"1.0.0-alpha"}
+      
+  ldap_configuration:
+    properties:
+      server:
+        type: string
+        description: FQDN or IP address of AD server
+        example: auth.local.com
+      port:
+        type: integer
+        format: int16
+        minimum: 0
+        description: port where AD server is listening
+        example: 389
+      base_dn: 
+        type: string
+        description: Distinguished name for base entity. All search queries will be scope to this BaseDN
+        example: ou=eng,dc=auth,dc=com
+      service_account_dn:
+        type: string
+        description: DN of the service account. auth_proxy will use this account to communicate with AD server. Hence this account must have appropriate privileges, specifically for lookup.
+      service_account_password:
+        type: string
+      start_tls:
+        type: boolean
+        description: switch session to TLS after proxy connects to AD server. This option must be configured on AD server. Recommended to set to true in production environments.
+      insecure_skip_verify:
+        type: boolean
+        description: skip cert check on AD server. Recommended to set to false for production environments.
+  upd_ldap_configuration:
+    type: ldap_configuration
+
+
+  local_user:
+    properties:
+      username: string
+      password: string
+      firstname: 
+        type: string
+        example: John
+        required: false
+      lastname:
+        type: string
+        example: Doe
+        required: false
+      disable:
+        type: boolean
+        required: false
+    example:
+      username: johndoe
+      password: p@ssw0rd
+  upd_local_user:
+    properties:
+      firstname: 
+        type: string
+        required: false
+      lastname: 
+        type: string
+        required: false
+      disable: 
+        type: boolean
+        required: false
+      password:
+        type: string
+        required: false
+    example:
+      firstname: Jane
+      disable: true
+  local_users:
+    type: array
+    items: 
+      type: local_user
+
+  login:
+    properties:
+      username:
+        type: string
+        description: user name. If a local user doesn't exist by that name, AD authentication will be tried using sAMAccountName=username in BaseDN scope of the AD server (see ldap configuration for more details)
+      password: string
+    example:
+      username: johndoe
+      password: p@ssw0rd
+  login_response:
+    properties:
+      token:
+        type: string
+        description: opaque token string, callers should set custom security header to this token before calling further APIs (see security information for protected APIs)
+
+
+  authorization:
+    properties:
+      principalName: string
+      local: boolean
+      role: string
+      tenantName: string
+    example:
+      principalName: johndoe
+      local: true
+      role: ops
+      tenantName: johnstenant
+  upd_authorization:
+    type: authorization
+  authorizations:
+    type: array
+    items:
+      type: authorization
diff --git a/spec/auth_proxy/schemas/collection-item.raml b/spec/auth_proxy/schemas/collection-item.raml
@@ -0,0 +1,32 @@
+#%RAML 1.0 ResourceType
+description: Entity representing <<resourcePathName|!singularize>>
+get:
+  description: returns <<resourcePathName|!singularize>>.
+  responses:
+    200:
+      body:
+        application/json:
+          type: <<provider>>.<<resourcePathName|!singularize>>
+    404:
+      body:
+        application/json: |
+          {"message": "<<resourcePathName|!singularize>> not found" }
+delete:
+  description: deletes <<resourcePathName|!singularize>>.
+  responses:
+    204:
+put?:
+  description: updates/creates <<resourcePathName|!singularize>>
+  body:
+    application/json: 
+      type: <<provider>>.upd_<<resourcePathName|!singularize>>
+  responses:
+    200:
+      body:
+        application/json:
+          type: <<provider>>.<<resourcePathName|!singularize>>
+    404:
+      body:
+        application/json: |
+          {"message": "<<resourcePathName|!singularize>> not found" }
+
diff --git a/spec/auth_proxy/schemas/collection.raml b/spec/auth_proxy/schemas/collection.raml
@@ -0,0 +1,17 @@
+#%RAML 1.0 ResourceType
+description: A collection of <<resourcePathName>>
+get:
+  description: returns a list of <<resourcePathName|!singularize>>.
+  responses:
+    200:
+      body:
+        application/json:
+          type: <<provider>>.<<resourcePathName>>
+post:
+  description: Add a new <<resourcePathName|!singularize>>.
+  body:
+    application/json:
+      type: <<provider>>.<<resourcePathName|!singularize>>
+  responses:
+    201:
+    404:
diff --git a/spec/auth_proxy/schemas/custom-scheme.raml b/spec/auth_proxy/schemas/custom-scheme.raml
@@ -0,0 +1,19 @@
+#%RAML 1.0 SecurityScheme
+
+description: |
+  A custom security scheme for authenticating requests.
+type: x-custom
+describedBy:
+  headers:
+    X-Auth-Token:
+      description: |
+        Used to send a custom token. Obtained via /login API.
+      type: string
+  responses:
+    401:
+      description: |
+        Authentication failed.
+    403:
+      description: | 
+        Forbidden.
+
diff --git a/spec/auth_proxy/schemas/non-upd-collection-item.raml b/spec/auth_proxy/schemas/non-upd-collection-item.raml
@@ -0,0 +1,18 @@
+#%RAML 1.0 ResourceType
+description: Entity representing <<resourcePathName|!singularize>>
+get:
+  description: returns <<resourcePathName|!singularize>>.
+  responses:
+    200:
+      body:
+        application/json:
+          type: <<provider>>.<<resourcePathName|!singularize>>
+    404:
+      body:
+        application/json: |
+          {"message": "<<resourcePathName|!singularize>> not found" }
+delete:
+  description: deletes <<resourcePathName|!singularize>>.
+  responses:
+    204:
+
diff --git a/spec/auth_proxy/schemas/ro-collection-item.raml b/spec/auth_proxy/schemas/ro-collection-item.raml
@@ -0,0 +1,13 @@
+#%RAML 1.0 ResourceType
+description: Entity representing <<resourcePathName|!singularize>>
+get:
+  description: returns <<resourcePathName|!singularize>>.
+  responses:
+    200:
+      body:
+        application/json:
+          type: <<provider>>.inspect_<<resourcePathName|!singularize>>
+    404:
+      body:
+        application/json: |
+          {"message": "<<resourcePathName|!singularize>> not found" }
diff --git a/spec/build.sh b/spec/build.sh
@@ -2,7 +2,21 @@
 
 set -euo pipefail
 
-docker build -t contiv/spec .
-cid=$(docker run -itd contiv/spec)
-docker cp ${cid}:/contiv/contiv.html .
-docker rm -fv ${cid}
+IMAGE_NAME="contiv/raml2html"
+
+mkdir -p docs
+
+docker build -t $IMAGE_NAME .
+
+echo "generating netmaster docs"
+docker run --rm \
+       -u $(id -u):$(id -g) \
+       -v $(pwd):/contiv \
+       $IMAGE_NAME -i contiv.raml -o docs/contiv.html
+
+echo "generating auth_proxy docs"
+docker run --rm \
+       -u $(id -u):$(id -g) \
+       -v $(pwd):/contiv \
+       $IMAGE_NAME -i auth_proxy.raml -o docs/auth_proxy.html
+
diff --git a/spec/contiv.raml b/spec/contiv.raml
diff --git a/spec/docs/auth_proxy.html b/spec/docs/auth_proxy.html
diff --git a/spec/docs/contiv.html b/spec/docs/contiv.html
