diff --git a/README.md b/README.md index f63d4b2..12fd709 100644 --- a/README.md +++ b/README.md @@ -139,18 +139,16 @@ This is the **IDCS** service authorization by the token passed in BODY and will This is the main code for your authorization function and will be described in sequence. -![img_1.png](images/authApi_2.png) +![img.png](images/authApi_2.png) -Authorization function works 2 times -The first call to the authorization function needs to validate your token from the **IDCS** and the first call always came with **body_schema_validation** = None. -In the second call, the **body_schema_validation** came with some schema value from your OpenAPI spec, so the **IDCS** validation will be skiped. +Remember that the API always will be deployed in 2 layers. The first layer will call the second layer. +Authorization function works only in the second layer for best performance. This will be explained in the next section (**applyValidationApi**) ![img_2.png](images/authApi_3.png) -In the first authorization execution, the validation step will be skiped but in the second execution, the validation occurs with the same logic in the **body_schema_validation**. - -![img_3.png](images/authApi_4.png) +This is the schema validation for Swagger and Open API 3 +![img.png](images/authApi_4.png) ## applyValidationApi @@ -168,7 +166,7 @@ The validation respecting the Swagger 2.0 spec can be done by this component: [S The authorization function is deployed in the proxy API deployment and in the real API deployment, but the validation of the spec will be done only in the real API layer and **if** the HEADER **body_schema_validation** has a content. -![img_8.png](images/img_8.png) +![img.png](images/img_8.png) You need to deploy the API (you can see the **deployment** file [applyValidationApi.json](./files/applyValidationApi/applyValidationApi.json) in JSON format to understand the parameters): diff --git a/files/OCI_API_Gateway_Automation_files.zip b/files/OCI_API_Gateway_Automation_files.zip index 4aae5fa..84bdc6b 100644 Binary files a/files/OCI_API_Gateway_Automation_files.zip and b/files/OCI_API_Gateway_Automation_files.zip differ diff --git a/files/applyValidationApi/func.py b/files/applyValidationApi/func.py index c912d29..dba5b1f 100644 --- a/files/applyValidationApi/func.py +++ b/files/applyValidationApi/func.py @@ -183,10 +183,10 @@ def applyAuthApi(compartmentId, displayName, payload, functionId, host, api_gate for item in payload: methods = json.loads(json.dumps(item["METHOD"].split(" "))) path_prefix = item["PATH_PREFIX"] + callback_url = ("https://" + host + item["PATH_PREFIX"] + "validation-callback" + item["PATH"]).replace("{", "${request.path[").replace("}", "]}") if (item["SCHEMA_BODY_VALIDATION"] != ""): - callback_url = ("https://" + host + item["PATH_PREFIX"] + "validation-callback" + item["PATH"]).replace("{", "${request.path[").replace("}", "]}") put_logs_response = logging.put_logs( - log_id="ocid1.log.oc1.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", + log_id="ocid1.log.oc1.iad.amaaaaaaamaaaaaaamaaaaaaamaaaaaaamaaaaaaamaaaaaaamaaaaaaamaaaaaa", put_logs_details=oci.loggingingestion.models.PutLogsDetails( specversion="EXAMPLE-specversion-Value", log_entry_batches=[ @@ -237,6 +237,14 @@ def applyAuthApi(compartmentId, displayName, payload, functionId, host, api_gate else: routes.append( + oci.apigateway.models.ApiSpecificationRoute( + path=item["PATH"], + backend=oci.apigateway.models.HTTPBackend( + type="HTTP_BACKEND", + url=callback_url, + is_ssl_verify_disabled=False), + methods=methods)) + new_routes.append( oci.apigateway.models.ApiSpecificationRoute( path=item["PATH"], backend=oci.apigateway.models.HTTPBackend( @@ -245,6 +253,7 @@ def applyAuthApi(compartmentId, displayName, payload, functionId, host, api_gate is_ssl_verify_disabled=False), methods=methods)) + if (new_routes != [ ]): validation_deployment_details=oci.apigateway.models.UpdateDeploymentDetails( display_name=displayName + "-validation", @@ -296,34 +305,12 @@ def applyAuthApi(compartmentId, displayName, payload, functionId, host, api_gate creeateOrUpdateDeployment(compartmendId=compartmentId, displayName=displayName + "-validation", validation_deployment_details=validation_deployment_details, create_deployment_details=create_deployment_details, api_gateway_id=api_gateway_id) if (routes != [ ]): - # apigateway_client.update_deployment(deployment_id=deployment_id, update_deployment_details=oci.apigateway.models.UpdateDeploymentDetails( - # display_name=displayName, - # specification=oci.apigateway.models.ApiSpecification( - # request_policies=oci.apigateway.models.ApiSpecificationRequestPolicies( - # authentication=oci.apigateway.models.CustomAuthenticationPolicy( - # type="CUSTOM_AUTHENTICATION", - # function_id=functionId, - # is_anonymous_access_allowed=False, - # parameters={ - # 'token': 'request.headers[token]', - # 'body': 'request.body'}, - # cache_key=["token"])), - # routes=routes))) - + # The 1st layer will not authenticate validation_deployment_details=oci.apigateway.models.UpdateDeploymentDetails( display_name=displayName, specification=oci.apigateway.models.ApiSpecification( request_policies=oci.apigateway.models.ApiSpecificationRequestPolicies( - rate_limiting=rate_limiting, - authentication=oci.apigateway.models.CustomAuthenticationPolicy( - type="CUSTOM_AUTHENTICATION", - function_id=functionId, - is_anonymous_access_allowed=False, - parameters={ - 'token': 'request.headers[token]', - 'body': 'request.body', - 'opc-request-id': 'request.headers[opc-request-id]'}, - cache_key=["token", "opc-request-id"])), + rate_limiting=rate_limiting), routes=routes)) create_deployment_details=oci.apigateway.models.CreateDeploymentDetails( @@ -333,17 +320,9 @@ def applyAuthApi(compartmentId, displayName, payload, functionId, host, api_gate path_prefix= path_prefix, specification=oci.apigateway.models.ApiSpecification( request_policies=oci.apigateway.models.ApiSpecificationRequestPolicies( - rate_limiting=rate_limiting, - authentication=oci.apigateway.models.CustomAuthenticationPolicy( - type="CUSTOM_AUTHENTICATION", - function_id=functionId, - is_anonymous_access_allowed=False, - parameters={ - 'token': 'request.headers[token]', - 'body': 'request.body', - 'opc-request-id': 'request.headers[opc-request-id]'}, - cache_key=["token", "opc-request-id"])), + rate_limiting=rate_limiting), routes=routes)) + creeateOrUpdateDeployment(compartmendId=compartmentId, displayName=displayName, validation_deployment_details=validation_deployment_details, create_deployment_details=create_deployment_details, api_gateway_id=api_gateway_id) diff --git a/images/authApi_2.png b/images/authApi_2.png index a588548..d465797 100644 Binary files a/images/authApi_2.png and b/images/authApi_2.png differ diff --git a/images/authApi_4.png b/images/authApi_4.png index e809809..6becba4 100644 Binary files a/images/authApi_4.png and b/images/authApi_4.png differ diff --git a/images/img_8.png b/images/img_8.png index 2b1a6f2..6c3561e 100644 Binary files a/images/img_8.png and b/images/img_8.png differ