You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Instance-based authorization with genre-based attribute filters
21
22
- Advanced filter conditions that exceed the capabilities of the standard [instance-based cds conditions](https://cap.cloud.sap/docs/guides/security/authorization#instance-based-auth)
23
+
- Principal propagation with API policies that further restrict access
22
24
-[Hybrid testing](https://cap.cloud.sap/docs/advanced/hybrid-testing) via `cds bind`
23
25
- Auto-Configuration for deployment via [cds add](https://cap.cloud.sap/docs/tools/cds-cli#cds-add)
You can look at the integration tests for the [`CatalogService`](./test/cat-service.test.js) and the [`AdminService`](./test/admin-service.test.js). They demonstrate the expected behavior of the application for mocked users with different combinations of authorization policies.
48
+
You can look at the integration tests for the [`CatalogService`](./test/cat-service.test.js), [`AdminService`](./test/admin-service.test.js), and [`AmsValueHelpService`](./test/vh-service.test.js). They demonstrate the expected behavior of the application for mocked users with different combinations of authorization policies.
49
+
50
+
Advanced AMS capabilities includes in the tests:
51
+
-**Filtered access**: The `juniorReader` can only access books in specific genres (Fairy Tale, Fantasy, Mystery)
52
+
-**Principal propagation**: The `principalPropagation` user demonstrates how API policies can further restrict access for user requests from external applications - combining JuniorReader policy (allows Fairy Tale, Fantasy, Mystery) of user with ReadCatalog API policy (excludes Mystery, Romance, Thriller, Dystopia) results in access to only Fantasy books
47
53
48
54
### Manual tests
49
-
To test the effect of changes, you can make manual requests against the server by authenticating via *Basic Auth* as one of the mocked users (and an empty password). In the [cds env configuration](./.cdsrc.json#L4), you can see and change the list of policies that is assigned to the mocked users.
55
+
To test the effect of changes, you can make manual requests against the server by authenticating via *Basic Auth* as one of the mocked users (and an empty password). In the [cds env configuration](./.cdsrc.json), you can see and change the list of policies that is assigned to the mocked users.
50
56
51
57
If the application was started in watch mode, get creative by making changes and observe the effects. Here's some ideas:
52
58
53
59
#### Create your own admin policy
54
-
- create a new admin policy in [adminPolicies.dcl](./ams/dcl/local/adminPolicies.dcl) with a different filter condition
55
-
- assign the policy to a user via the [cds env configuration](./.cdsrc.json#L4)
56
-
- validate it works as intended
57
-
- make a request to an entity that is filtered base on the attributes of the policy
58
-
- extend the unit tests
59
-
60
-
#### Extend the AMS annotations
61
-
- add more attribute filters via `ams.attributes` annotations
62
-
- extend the role policies in [basePolicies.dcl](./ams/dcl/cap/basePolicies.dcl) if the new AMS attribute is applicable for the existing roles
63
-
-[create an admin policy](#create-your-own-admin-policy) that filters a role based on this attribute
60
+
- Create a new policy in [adminPolicies.dcl](./ams/dcl/local/adminPolicies.dcl) with a different genre filter condition
61
+
- Assign the policy to a user via the [cds env configuration](./.cdsrc.json)
62
+
- Validate it works as intended
63
+
- Make a request to `/odata/v4/catalog/Books` as that user
64
+
- Verify only books matching the genre filter are returned
65
+
- Extend the unit tests to cover the new scenario
66
+
67
+
#### Extend the AMS attributes
68
+
- Add more attribute filters via `@ams.attributes` annotations in [authorization.cds](./srv/authorization.cds)
69
+
- Example: Add author-based filtering by mapping `Author: author.name`
70
+
- Extend the role policies in [basePolicies.dcl](./ams/dcl/cap/basePolicies.dcl) to additionally filter by the new attribute where it makes sense
71
+
-[Create a new admin policy](#create-your-own-policy) that filters a role based on this attribute
72
+
- Extend the [vh-service.js](./srv/vh-service.js) to return possible values for the new attribute
73
+
74
+
#### Test principal propagation
75
+
- Observe how the `principalPropagation` user's access is restricted by both the JuniorReader policy AND the ReadCatalog API policy
76
+
- Try creating different combinations of user policies and API policies to see how they interact
77
+
- The intersection of filters determines the final access rights
64
78
65
79
## Hybrid Testing
66
80
For [CAP Hybrid Testing](https://cap.cloud.sap/docs/advanced/hybrid-testing), you can `cds bind -2 <yourIdentityServiceInstance>` and start the application via
0 commit comments