Passer au contenu principal

APIs Casbin exposées

Introduction

Supposons que le front-end de votre application a obtenu le access_token de l'utilisateur connecté et souhaite maintenant authentifier l'utilisateur pour certains accès. Vous ne pouvez pas simplement placer le access_token dans l'en-tête de la requête HTTP pour utiliser ces APIs car Casdoor utilise le champ Authorization pour vérifier la permission d'accès. Comme toutes les autres APIs fournies par Casdoor, le champ Authorization se compose de l'identifiant client de l'application et du secret, en utilisant le schéma d'authentification HTTP de base. Ça ressemble à Authorization: Basic <Votre_Application_ClientId> <Votre_Application_ClientSecret>. Pour cette raison, les APIs Casbin doivent être appelées par le serveur backend de l'application. Voici les étapes à suivre.

Prenez l'application app-vue-python-example sur le site de démonstration par exemple, l'en-tête d'autorisation devrait être : Authorization: Basic 294b09fbc17f95daf2fe dd8982f7046ccba1bbd7851d5c1ece4e52bf039d.

  1. Le front-end transmet le access_token au serveur backend via l'en-tête de la requête HTTP.
  2. Le serveur backend récupère l'identifiant de l'utilisateur à partir du access_token.

Comme note préalable, ces interfaces sont également conçues (pour l'instant) pour le modèle (sub, obj, act). Le corps est le format de requête défini par le modèle Casbin de la permission, représentant généralement sub, obj et act respectivement.

En plus de l'interface API pour demander l'application du contrôle des permissions, Casdoor fournit également d'autres interfaces qui aident les applications externes à obtenir des informations sur la politique de permission, qui sont également listées ici.

Enforcer

The Enforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:

  • permissionId: The identity of a specific permission policy (format: organization name/permission name)
  • modelId: The identity of a permission model (format: organization name/model name) - enforces against all permissions using this model
  • resourceId: The identity of a resource - enforces against all permissions for this resource
  • enforcerId: The identity of a specific enforcer
  • owner: The organization name - enforces against all permissions in this organization

Request using permissionId:

curl --location --request POST 'http://localhost:8000/api/enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'

Request using modelId:

curl --location --request POST 'http://localhost:8000/api/enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'

Request using resourceId:

curl --location --request POST 'http://localhost:8000/api/enforce?resourceId=example-org/example-resource' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'

Response:

{
    "status": "ok",
    "msg": "",
    "sub": "",
    "name": "",
    "data": [
        true
    ],
    "data2": [
        "example-org/example-model/example-adapter"
    ]
}

Note: When using modelId, resourceId, enforcerId, or owner parameters, the response data array may contain multiple boolean values (one for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.

BatchEnforce

The BatchEnforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:

  • permissionId: The identity of a specific permission policy (format: organization name/permission name)
  • modelId: The identity of a permission model (format: organization name/model name) - enforces against all permissions using this model
  • enforcerId: The identity of a specific enforcer
  • owner: The organization name - enforces against all permissions in this organization

Request using permissionId:

curl --location --request POST 'http://localhost:8000/api/batch-enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"], ["example-org/example-user3", "example-resource", "example-action"]]'

Request using modelId:

curl --location --request POST 'http://localhost:8000/api/batch-enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"]]'

Réponse :

{
    "status": "ok",
    "msg": "",
    "sub": "",
    "name": "",
    "data": [
        [
            true,
            true,
            false
        ]
    ],
    "data2": [
        "example-org/example-model/example-adapter"
    ]
}

Note: When using modelId, enforcerId, or owner parameters, the response data array may contain multiple arrays of boolean values (one array for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.

GetAllObjects

This API retrieves all objects (resources) that a user has access to. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.

Request with userId parameter:

curl --location --request GET 'http://localhost:8000/api/get-all-objects?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Request using session (userId determined from session):

curl --location --request GET 'http://localhost:8000/api/get-all-objects' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Réponse :

{
    "status": "ok",
    "msg": "",
    "data": [
        "app-built-in",
        "example-resource"
    ]
}

GetAllActions

This API retrieves all actions that a user can perform. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.

Request with userId parameter:

curl --location --request GET 'http://localhost:8000/api/get-all-actions?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Request using session (userId determined from session):

curl --location --request GET 'http://localhost:8000/api/get-all-actions' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Réponse :

{
    "status": "ok",
    "msg": "",
    "data": [
        "read",
        "write",
        "admin"
    ]
}

GetAllRoles

This API retrieves all roles assigned to a user. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.

Request with userId parameter:

curl --location --request GET 'http://localhost:8000/api/get-all-roles?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Request using session (userId determined from session):

curl --location --request GET 'http://localhost:8000/api/get-all-roles' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Réponse :

{
    "status": "ok",
    "msg": "",
    "data": [
        "role_kcx66l"
    ]
}