2023-03-02 03:03:10 +00:00

319 lines
7.9 KiB

IDM API Design and Layout
To think about this, we need to look at what the eventual structure of the CLI will look like as
it roughly maps to the same operations.
The cli layout will be (roughly, not actual final product):
- raw
| - search
| - create
| - modify
| - delete
- recycle_bin
| - list
| - display (view, get)
| - search
| - revive (is restore better)
- self
| - display
| - set_credential (--appid/primary, --password, --totp, --webauthn, or combinations?)
| - reset_radius_password
| - add_credential_claim
| - remove_credential_claim
| - set_name
| - set_displayname
| - set_legalname
| - add_sshpublickey
| - remove_sshpublickey
| - modify (with --arg, could we get this from schema)
| - get_radius_android
| - get_radius_ios_macos
| - get_radius_config
- account
| - list
| - display
| - create
| - delete
| - modify
| - reset_credential
| - add_credential_claim
| - remove_credential_claim
| - set_name
| - set_displayname
| - set_legalname
| - enroll_sshpublickey
| - remove_sshpublickey
| - lock
| - unlock
| - expire_at
- group
| - list
| - display
| - create
| - delete
| - modify
| - add_members
| - remove_members
- claims
| - list
| - display
| - create
| - delete
| - modify
| - set_credential_policy
- access_profiles
| - list
| - display
| - create
| - delete
| - modify
| - enable
| - disable
- schema
| - class
| - list
| - get
| - create
| - add_may_attribute
| - add_must_attribute
| - attribute
| - list
| - get
| - create
| - query_class (--may, --must)
- radius
| - TBD
To support this, I think we need to break the api resources down in a similar pattern. We'd need
to think about how this looks with rest ...
This is the server's internal CRUD (well, CSMD) protocol exposed at a low level
for batch operations if required. We could simply have /raw take a list of
the CUD/CMD ops for a real batching system ...
POST -> search request
POST -> create request
POST -> modify request
POST -> modify request
POST -> Auth requests
GET -> list all account ids
POST -> create new account
GET -> display account
PUT -> overwrite account attrs
PATCH -> update via diff
DELETE -> delete this account
GET -> display this attr
PUT -> overwrite this attr value list
POST -> append this list to attr
DELETE -> purge this attr
POST -> lock this account until time (or null for permanent)
DELETE -> unlock this account
GET -> list the credentials
POST -> lock this credential until time (or null for permanent)
DELETE -> unlock this account
GET -> get the accounts radius credentials
(note: more methods to come to update/reset this credential
GET -> let's the radius server get all required details for radius to work
Modify and perform actions on self - generally this is an extension of capability
from account and person, but combined to one.
GET -> view self (aka whoami)
PUT -> overwrite self content
PATCH -> update self via diff
GET -> view self attribute.
PUT -> overwrite attr
POST -> append list of attr
DELETE -> purge attr
(note: more to come re setting/updating credentials, see account)
GET -> list radius cred
(note: more to come re setting/updating this credential)
POST -> create new config link w_ secret key?
GET -> get radius config json (no auth needed, secret_key is OTP)
GET -> get radius config profile for apple (secret_key is OTP)
GET -> get radius config profile for android (secret_key is OTP)
GET -> list all group ids
POST -> create new group
GET -> get this group id
PUT -> overwrite group content
PATCH -> update via diff
DELETE -> whole entry
GET -> get this groups attr
PUT -> overwrite this group attr value list
POST -> append this list to group attr
DELETE -> purge this attr (if body empty) or the elements listed in the body
Schema defines how we structure and store attributes, so we need a way to query
this and see what it contains.
GET -> list all class and attr types
GET -> list schema class names
POST -> create new class
GET -> list schema class
PUT -> overwrite schema content
PATCH -> update via diff
GET -> list value of attr
PUT -> overwrite attr value
POST -> append list of values to attr
DELETE -> purge attr
GET -> list schema class names
POST -> create new class
GET -> list schema class
PUT -> overwrite schema content
PATCH -> update via diff
GET -> list value of attr
PUT -> overwrite attr value
POST -> append list of values to attr
DELETE -> purge attr
List and restore from the recycle bin if possible.
GET -> list
GET -> view recycled type
POST -> restore this id.
GET -> list
POST -> create new acp
GET -> display acp
PUT -> overwrite acp
PATCH -> update via diff
DELETE -> delete this acp
GET -> list value of attr
PUT -> overwrite attr value
POST -> append list of values to attr
DELETE -> purge attr
Great resource on api design
Has a great section on filtering strings that we should implement
Azure AD api as inspiration.
Other Notes
What about a sudo/temporal claim assignment for pw change instead?
-- temporal claim that requires re-auth to add?
-- similar for self-write?
- enforce cred policy
- may not always be granted
- need a reauth+claim request interface
- claims must be able to be scoped by time
- uat signed/tamper proof
- similar when bearer.
- pw reset links must expire
- url should be a bearer signed containing expiry
- similar for radius profile view, should have a limited time scope on url.