Service Settings
Introduction
A service is a single entity for which a user can request credentials. The configuration of a service consists of one group of service settings.
To create credentials, WaTTS connects to the service, either locally or remotely using ssh. After the connection is established, a command is executed and the subsequent result is parsed and interpreted.
The executed commands are also called plugins; for further information on how the plugins work and how to implement them, see the documentation for developers.
The plugins are not part of WaTTS, so they can be changed independant of WaTTS and also maintained by the community.
Known plugins(use them at your own risk):
Feel free to add an issue to get your plugin listed above.
Settings
Each setting is prefixed with 'service.id
.' where id
must be replaced by the id you want to give to the service.
Authorization
Authorization follows a few simple steps: 1. at first everyone is forbidden 2. if an allow
rule that matches the user evaluates to true, she is allowed 3. if a forbid
rule that matches the user evaluates to true, he is forbidden
So a for a user to access a service she:
MUST match at least one
allow
ruleMUST NOT match any
forbid
rule
Each rule is exactly one line long. A rule always consists of five parts: authz.allow.p.k.o = v
, where the values are:
p
: the Id of the provider, this can either be an OpenID Connect provider or an rspk
: the key within the OpenId Connect Id-Token or user informationinfo
: the information in the Id Token or user information with the keyk
o
: the operation to performv
: the value
The provider Id for an OpenID Connect provider is the same as was given during the configuration, in the provider example above the id was iam
, so using that for p
allows making decisions on users coming from iam
.
The provider Id for an RSP is the id of the RSP prefixed with an 'rsp-'. So the simple RSP in the example above would have the id rsp-simple
. All connections from an RSP get logged in by the information sent by the RSP, an additional login at configured OpenID Connect providers can be performed.
There is a special provider id value, any
, which matches any provider, meaning any OpenID Connect or RSP provider.
The key k
has to match a value of the id token or the user info. The value of the Id Token offers Userinfo, i.e. having the key k
is the info
. If the key is not present:
allow
rule evaluates to falseforbid
rule evaluates to true
The operation o
can be one of the following list:
contains
: theinfo
can either be a list or a stringa list: the value
v
must be a member of the listinfo
a string: the value
v
must be part of the stringinfo
is_member_of
: the valuev
must be a comma separated list (with no spaces!) andinfo
needs to be a member of that listequals
:v
andinfo
need to be equalregexp
:v
is a regular expression andinfo
needs to satisfy the expressionany
: evaluates tov
, so to make this pass setv
to 'true'
Examples
Complete Example
Last updated