diff --git a/lib/NGCP/Panel/Controller/API/Root.pm b/lib/NGCP/Panel/Controller/API/Root.pm index fb17a2986e..00091997db 100644 --- a/lib/NGCP/Panel/Controller/API/Root.pm +++ b/lib/NGCP/Panel/Controller/API/Root.pm @@ -31,7 +31,7 @@ __PACKAGE__->config( action => { map { $_ => { ACLDetachTo => 'invalid_user', - AllowedRole => [qw/admin reseller/], + AllowedRole => [qw/admin reseller subscriberadmin subscriber/], Args => 0, Does => [qw(ACL CheckTrailingSlash RequireSSL)], Method => $_, @@ -64,6 +64,7 @@ sub GET : Allow { }; my $colls = NGCP::Panel::Utils::API::get_collections_files; + my %user_roles = map {$_ => 1} $c->user->roles; foreach my $coll(@$colls) { my $mod = $coll; $mod =~ s/^.+\/([a-zA-Z0-9_]+)\.pm$/$1/; @@ -74,9 +75,9 @@ sub GET : Allow { my $role = $full_mod->config->{action}->{OPTIONS}->{AllowedRole}; if(ref $role eq "ARRAY") { - next unless grep @{ $role }, $c->user->roles; + next unless grep { $user_roles{$_}; } @{ $role }; } else { - next unless $role && $role eq $c->user->roles; + next unless $user_roles{$role}; } my $query_params = []; @@ -197,6 +198,11 @@ sub GET : Allow { } + if ($user_roles{subscriber} || $user_roles{subscriberadmin}) { + $c->stash(is_subscriber_api => 1); + } else { + $c->stash(is_admin_api => 1); + } $c->stash(template => 'api/root.tt'); $c->forward($c->view); $c->response->headers(HTTP::Headers->new( diff --git a/share/templates/api/root/auth.tt b/share/templates/api/root/auth.tt index 451b866f55..3e21054985 100644 --- a/share/templates/api/root/auth.tt +++ b/share/templates/api/root/auth.tt @@ -8,7 +8,21 @@ [% END -%] -Authentication and authorization on the Sipwise NGCP HTTP API is performed via HTTP Basic Auth or SSL Client Certificates. +

+The access level of this API user is +[% SWITCH c.user.roles %] + [%- CASE 'admin' %] admin + [%- CASE 'reseller' %] reseller + [%- CASE 'subscriberadmin' %] subscriberadmin + [%- CASE 'subscriber' %] subscriber + [%- CASE %] (unknown) +[%- END %]. +

+

+Authentication and authorization on the Sipwise NGCP HTTP API is performed via +HTTP Basic Auth +[% IF is_admin_api %] or SSL Client Certificates[% END %]. +

HTTP Basic Auth You can authenticate against the API using your normal NGCP Panel administrator or reseller login credentials with the realm api_admin_http. @@ -80,88 +94,90 @@ else { -SSL Client Certificates -You can generate and download client certificates for administrators and resellers via the NGCP Panel in the Administrators view. In order to do so, your server certificate MUST support SSL client CA and SSL client CA. You can verify it with the following command: - - -openssl x509 -purpose -noout -in /path/to/ca-cert.pem - - -For the actual client authentication, you will need two files which you can download from the panel after creating the client certificates: - -
    -
  1. The client certificate generated via the NGCP Panel. This is usually labelled NGCP-API-client-certificate-xxxxx.pem.
    2. -
  2. The CA certificate used to sign the server certificate, in case it as been self-signed or the CA is not recognized by the client host environment.
    3. -
- -Examples -
- -
Using cURL on the Shell
-

-With cURL, use --cert /path/to/NGCP-API-client-certificate-xxxxx.pem to specify the client certificate, and --cacert /path/to/ca-cert.pem to specify the CA certificate in case of a self-signed server certificate. - - -curl -i -X GET --cert /path/to/NGCP-API-client-certificate-xxxxx.pem --cacert /path/to/ca-cert.pem https://example.org:1443/api/ - - -Additionally use the --insecure option if you are testing against a self-signed server certificate. -

- -
Using Perl LWP::UserAgent
-

-With LWP::UserAgent, set up the SSL client certificates using the ssl_opts() function. Since the key file downloaded from the NGCP Panel combines both the client key and the certificate into one single file, use the same filename for the SSL_cert_file and SSL_key_file option. - - -#!/usr/bin/perl -w -use strict; -use LWP::UserAgent; - -my $ua = LWP::UserAgent->new(); -$ua->ssl_opts( - SSL_cert_file => '/path/to/NGCP-API-client-certificate-xxxxx.pem', - SSL_key_file => '/path/to/NGCP-API-client-certificate-xxxxx.pem', - SSL_ca_file => '/path/to/ca-cert.pem', - # set to 0 if using a self-signed certificate - verify_hostname => 1, -); - -my $res = $ua->get('https://example.org:1443/api/'); -if($res->is_success) { - print $res->as_string; -} else { - print STDERR $res->status_line, "\n"; -} - -

- -
Using PHP cURL
-

- -Same as with Perl's LWP::UserAgent described above, you have to set the key and certificate paths using curl_setopt_array(), with the parameters CURLOPT_SSLCERT and CURLOPT_SSLKEY pointing to your client certificate. - - -$ua = curl_init(); -$options = array( - CURLOPT_SSLCERT => '/path/to/NGCP-API-client-certificate-xxxxx.pem', - CURLOPT_SSLKEY => '/path/to/NGCP-API-client-certificate-xxxxx.pem', - CURLOPT_CAINFO => '/path/to/ca-cert.pem', - CURLOPT_RETURNTRANSFER => true, - // set to false if using a self-signed certificate - CURLOPT_SSL_VERIFYPEER => true, - CURLOPT_SSL_VERIFYHOST => true, -); -curl_setopt_array($ua , $options); -curl_setopt($ua, CURLOPT_URL, 'https://example.org:1443/api/'); -$res = curl_exec($ua); -if(!$res) { - echo "Curl Error : " . curl_error($ua); -} -else { - echo $res; -} - -

- -
+[% IF is_admin_api %] + SSL Client Certificates + You can generate and download client certificates for administrators and resellers via the NGCP Panel in the Administrators view. In order to do so, your server certificate MUST support SSL client CA and SSL client CA. You can verify it with the following command: + + + openssl x509 -purpose -noout -in /path/to/ca-cert.pem + + + For the actual client authentication, you will need two files which you can download from the panel after creating the client certificates: + +
    +
  1. The client certificate generated via the NGCP Panel. This is usually labelled NGCP-API-client-certificate-xxxxx.pem.
    2. +
  2. The CA certificate used to sign the server certificate, in case it as been self-signed or the CA is not recognized by the client host environment.
    3. +
+ + Examples +
+ +
Using cURL on the Shell
+

+ With cURL, use --cert /path/to/NGCP-API-client-certificate-xxxxx.pem to specify the client certificate, and --cacert /path/to/ca-cert.pem to specify the CA certificate in case of a self-signed server certificate. + + + curl -i -X GET --cert /path/to/NGCP-API-client-certificate-xxxxx.pem --cacert /path/to/ca-cert.pem https://example.org:1443/api/ + + + Additionally use the --insecure option if you are testing against a self-signed server certificate. +

+ +
Using Perl LWP::UserAgent
+

+ With LWP::UserAgent, set up the SSL client certificates using the ssl_opts() function. Since the key file downloaded from the NGCP Panel combines both the client key and the certificate into one single file, use the same filename for the SSL_cert_file and SSL_key_file option. + + + #!/usr/bin/perl -w + use strict; + use LWP::UserAgent; + + my $ua = LWP::UserAgent->new(); + $ua->ssl_opts( + SSL_cert_file => '/path/to/NGCP-API-client-certificate-xxxxx.pem', + SSL_key_file => '/path/to/NGCP-API-client-certificate-xxxxx.pem', + SSL_ca_file => '/path/to/ca-cert.pem', + # set to 0 if using a self-signed certificate + verify_hostname => 1, + ); + + my $res = $ua->get('https://example.org:1443/api/'); + if($res->is_success) { + print $res->as_string; + } else { + print STDERR $res->status_line, "\n"; + } + +

+ +
Using PHP cURL
+

+ + Same as with Perl's LWP::UserAgent described above, you have to set the key and certificate paths using curl_setopt_array(), with the parameters CURLOPT_SSLCERT and CURLOPT_SSLKEY pointing to your client certificate. + + + $ua = curl_init(); + $options = array( + CURLOPT_SSLCERT => '/path/to/NGCP-API-client-certificate-xxxxx.pem', + CURLOPT_SSLKEY => '/path/to/NGCP-API-client-certificate-xxxxx.pem', + CURLOPT_CAINFO => '/path/to/ca-cert.pem', + CURLOPT_RETURNTRANSFER => true, + // set to false if using a self-signed certificate + CURLOPT_SSL_VERIFYPEER => true, + CURLOPT_SSL_VERIFYHOST => true, + ); + curl_setopt_array($ua , $options); + curl_setopt($ua, CURLOPT_URL, 'https://example.org:1443/api/'); + $res = curl_exec($ua); + if(!$res) { + echo "Curl Error : " . curl_error($ua); + } + else { + echo $res; + } + +

+ +
+[% END %] [% # vim: set tabstop=4 syntax=html expandtab: -%] diff --git a/share/templates/api/root/collection.tt b/share/templates/api/root/collection.tt index a47ab23eb9..bd1a14e868 100644 --- a/share/templates/api/root/collection.tt +++ b/share/templates/api/root/collection.tt @@ -8,6 +8,11 @@ [% END -%] +[%- curl_auth_string = ''; + IF is_admin_api; + curl_auth_string = '--cert NGCP-API-client-certificate.pem --cacert ca-cert.pem '; + END; -%] + Description [% col.description %] @@ -109,7 +114,7 @@ See description how to obtain properties, if any. Request available HTTP methods on the URI

[% - cmd = 'curl -i -X OPTIONS -H \'Connection: close\' --cert NGCP-API-client-certificate.pem --cacert ca-cert.pem https://example.org:1443' _ uri; + cmd = 'curl -i -X OPTIONS -H \'Connection: close\' '_ curl_auth_string _'https://example.org:1443' _ uri; INCLUDE helpers/api_command.tt cmd=cmd level=level+3; request = @@ -133,7 +138,7 @@ Accept-Post: application/hal+json; profile="http://purl.org/sipwise/ngcp-api/#re To define the page number and the rows per page to return, you can pass the parameters page and rows. Default values are page=1 and rows=10, if you do not provide them.

[% - cmd = 'curl -i -X GET -H \'Connection: close\' --cert NGCP-API-client-certificate.pem --cacert ca-cert.pem \'https://example.org:1443/api/' _ id _ '/?page=1&rows=1\''; + cmd = 'curl -i -X GET -H \'Connection: close\' '_ curl_auth_string _'\'https://example.org:1443/api/' _ id _ '/?page=1&rows=1\''; INCLUDE helpers/api_command.tt cmd=cmd level=level+3; props = get_props_plain() | indent(12); @@ -201,7 +206,7 @@ Content-Type: application/hal+json; profile="http://purl.org/sipwise/ngcp-api/"

[% - cmd = 'curl -i -X GET -H \'Connection: close\' --cert NGCP-API-client-certificate.pem --cacert ca-cert.pem \'https://example.org:1443/api/' _ id _ '/1\''; + cmd = 'curl -i -X GET -H \'Connection: close\' '_ curl_auth_string _'\'https://example.org:1443/api/' _ id _ '/1\''; INCLUDE helpers/api_command.tt cmd=cmd level=level+3; props = get_props_plain() | indent(3); @@ -277,7 +282,7 @@ Preference-Applied: return=minimal'; - cmd = 'curl -i -X ' _ http_request _ ' -H \'Connection: close\' -H \'Content-Type: ' _ content_type _ '\'' _ request_headers_form _ ' --cert NGCP-API-client-certificate.pem --cacert ca-cert.pem \'https://example.org:1443/api/' _ id _ '/' _ item_id _ '\' ' _ request_form ; + cmd = 'curl -i -X ' _ http_request _ ' -H \'Connection: close\' -H \'Content-Type: ' _ content_type _ '\'' _ request_headers_form _ ' '_ curl_auth_string _'\'https://example.org:1443/api/' _ id _ '/' _ item_id _ '\' ' _ request_form ; request = http_request _ ' /api/' _ id _ '/' _ item_id _ ' HTTP/1.1 @@ -348,7 +353,7 @@ END%] END; props = props.substr(0, props.length - 2); - cmd = 'curl -i -X PATCH -H \'Connection: close\' -H \'Content-Type: application/json-patch+json\' -H \'Prefer: return=minimal\' --cert NGCP-API-client-certificate.pem --cacert ca-cert.pem \'https://example.org:1443/api/' _ id _ '/2\' --data-binary \'[ ' _ props _ ' ]\''; + cmd = 'curl -i -X PATCH -H \'Connection: close\' -H \'Content-Type: application/json-patch+json\' -H \'Prefer: return=minimal\' '_ curl_auth_string _'\'https://example.org:1443/api/' _ id _ '/2\' --data-binary \'[ ' _ props _ ' ]\''; INCLUDE helpers/api_command.tt cmd=cmd extended=1 level=level+3; %] @@ -437,7 +442,7 @@ Preference-Applied: return=minimal';

[% - cmd = 'curl -i -X DELETE -H \'Connection: close\' --cert NGCP-API-client-certificate.pem --cacert ca-cert.pem \'https://example.org:1443/api/' _ id _ '/1\''; + cmd = 'curl -i -X DELETE -H \'Connection: close\' '_ curl_auth_string _'\'https://example.org:1443/api/' _ id _ '/1\''; INCLUDE helpers/api_command.tt cmd=cmd level=level+3; request =