-
Notifications
You must be signed in to change notification settings - Fork 0
/
example.eskip
67 lines (60 loc) · 2.3 KB
/
example.eskip
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
///////////////////////////
// //
// Skoap example routing //
// //
///////////////////////////
// Just check the token
//
// 1. matches all requests that the other routes don't
// 2. validates the incoming Authorization header
// 3. drops the incoming Authorization header
// 4. forwards the request to https://www.example.org
// 5. prints audit log when the response is done
//
catchAll: *
-> auditLog()
-> auth()
-> dropRequestHeader("Authorization")
-> "https://www.example.org";
// Employees only with hardcoded basic
//
// 1. matches requests to host employees.foo.org
// 2. validates the incoming Authorization header
// 3. validates the realm of the owner of the token in the header
// 4. sets a hardcoded outgoing Authorization header
// 5. forwards the request to https://www.example.org
// 6. prints audit log when the response is done, with the request
// body included, max. 1024 bytes
//
realmOnly: Host("^employees.foo.org$")
-> auditLog(1024)
-> auth("/employees")
-> basicAuth("user9", "secret")
-> "https://www.example.org";
// Services with scopes only
//
// 1. matches requests to host services.foo.org
// 2. validates the incoming Authorization header
// 3. validates the realm of the owner of the token in the header
// 4. validates the assigned scopes of the token owner by looking for the first match
// 5. sets a hardcoded outgoing Authorization header
// 6. forwards the request to https://www.example.org
// 7. prints audit log when the response is done, with the request
// body included, unlimited number of bytes (watch performance!!!)
//
checkScope: Host("^services.foo.org$")
-> auditLog(-1)
-> auth("/services", "read-kio", "write-kio")
-> basicAuth("service9", "secret")
-> "https://www.example.org";
// Employees in the right team as themselves
//
// 1. matches requests to host employees.foo.org with path /my-home
// 2. validates the incoming Authorization header
// 3. validates the realm of the owner of the token in the header
// 4. validates the team membership of the token owner by looking for the first match
// 5. forwards the request to https://www.example.org with the incoming Authorization header
//
checkTeam: Host("^employees.foo.org$") && Path("/my-home")
-> authTeam("/employees", "monkey", "mop")
-> "https://www.example.org";