API Authorization Control Technical Document

# API Authorization Control Technical Document **1. Summary** This document defines the rules and configurations used for authorization and access control of resources originating from the Apisix plugin. **2. Key Concepts** This section explains the key concepts and definitions used in the API management platform. - **Resource:** A service or data provided by the API. - **Authorization:** Permission for users or applications to access specific resources. - **Rule:** Conditions and expressions used for access control. - **Privilege:** Permission to access a particular resource or service. - **Method:** Types of operations used in the HTTP protocol (GET, POST, PUT, DELETE, etc.). **3. Resource Management** This section explains how resources are defined and managed in the API management platform. **3.1 Resource Definition** Resources are defined with a specific URL pattern and HTTP method. Example URL patterns and HTTP methods are provided below. **Example:** **URL Pattern:** /fora/DigitalServices/AccountService.svc/accounts/([^/]+)/transactions?startDate=([^/]+)&endDate=([^/]+) **4. Authorization and Privilege Management** Access control to resources is achieved through authorization and privilege management. Access controls are enforced using the concepts of Privilege and Rule. Based on the value of the checkAuthMethod parameter from the query string ("Privilege" or "Rule"), one of these two methods is used. If left empty, the "Privilege" method is used. **4.1 Privilege Method** In this method, the URL of the service performing the check is used. The URL can include variables such as header and query string. **Example:** http://localhost:3000/fora/DigitalServices/AccountService.svc/accounts/match/{header.customerId}/{header.ibanNumber}. - Header variables start with "header.". For example: header.customerId. - Query strings start with "query.". For example: query.startDate. - Regex URLs in the resource are specified with path.var1 starting from 1. For example: path.var1 == "account1". **4.2 Rule Method** In this method, the Microsoft Rule Engine library is used. (https://github.com/microsoft/RulesEngine) - Rule includes expressions based on data sources like "header", "path", "body", and logical operations. **Example Usages:** - Utils.CallApiPost("https://dummyjson.com/products/1", body).IsSuccessStatusCode == true - Utils.CallApiGet("https://dummyjson.com/products/1").Data.price.ToInt() > 500 - Utils.CallApiGet("https://dummyjson.com/products/1").Data.brand.ToString() == "Apple" - Utils.CallApiPost("https://dummyjson.com/products/1", body).StatusCode == 201 **CallApiResponse: ** ``` public class CallApiResponse { public bool IsSuccessStatusCode { get; set; } public int StatusCode { get; set; } public dynamic Data { get; set; } } ``` Since the Data field is dynamic, it must be converted to the desired type using the following Extension Methods: - ToString() - ToInt() (Returns 0 on a failed conversion) - ToDouble() (Returns 0 on a failed conversion) - ToFloat() (Returns 0 on a failed conversion) - ToBool() (Returns false on a failed conversion) - ToDateTime() (Returns DateTime.Min() on a failed conversion) - ToArray() (Returns null on a failed conversion) - CallApiGet(url, header) (Returns the result by making a call to expert services using the URL and header information.) - CallApiPost(url, body, header) (Returns the result by making a call to expert services using the URL and header information.) - ForEachCallApiGet(list, url, header) (Returns the result by making a call to the expert service for all items in a list sent through the body.) - ForEachCallApiPost(list, url, body, header) (Returns the result by making a call to the expert service for all items in a list sent through the body.) **Data Sources Usable in Rules:** - **Header:** HTTP request headers handled by Apisix. Example: header.authorization. - **Path:** URL path segments defined by regex. Example: path.var2 == "customer". - **Body:** JSON data within the request body. Example: body.name == "Ahmet Yılmaz". - **Query:** Query parameters within the URL. Example: query.transactionType == "Transfer". **Logical Operations Usable in Rules:** - == (Equals) - != (Not equals) - <, >, >=, <= (Comparison) - && (And) - || (Or) - ! (Not) **Functions Usable in Rules:** - Utils.CheckContains(string value, string searchValue): Checks if the searchValue exists within the value. **Important Notes:** - External API calls can be made using the Utils.CallApiGet and Utils.CallApiPost functions. - The success status (IsSuccessStatusCode), HttpStatusCode (StatusCode) and content (Data) of the returned data can be included in the control. - The priority of rules is determined in the configuration. - If there are multiple rules, they are evaluated in order of priority. - Special characters passed in key values are changed to "_". **Example**: `X-Device-Id` value is changed to `X_Device_Id`. **ForEachCallApiGet & ForEachCallApiPost Usage** Utils.ForEachCallApiGet(body.UserList, "https://expert-api.com/check/"+header.user_id+"/item.role",header).IsSuccessStatusCode == true - The list is specified with the “body.UserList” variable. - The “item.role” variable represents the usage of the object within the iteration. - When using iteration, it is important to ensure that it is used within quotation marks (””). **Conclusion** This document has explained the configuration options used for resource authorization and access control in the Apisix plugin and how to write rules. The authorization process is performed using either the Privilege or Rule methods. Resources, privileges, resource privileges, and rules are configured in relation to each other, and access control decisions are made based on these rules.