forked from Badgerati/Pode
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathWeb-AuthBasicAccess.ps1
More file actions
171 lines (144 loc) · 6.03 KB
/
Web-AuthBasicAccess.ps1
File metadata and controls
171 lines (144 loc) · 6.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
<#
.SYNOPSIS
A PowerShell script to set up a Pode server with basic authentication and role/group-based access control.
.DESCRIPTION
This script sets up a Pode server that listens on a specified port, enables request and error logging,
configures basic authentication, and sets up role and group-based access control. It defines various routes
with specific access requirements.
.PARAMETER Location
The location where the API key is expected. Valid values are 'Header', 'Query', and 'Cookie'. Default is 'Header'.
.EXAMPLE
To run the sample: ./Web-AuthBasicAccess.ps1
This example shows how to use sessionless authentication, which will mostly be for
REST APIs. The example used here is Basic authentication.
Calling the '[POST] http://localhost:8081/users-all' endpoint, with an Authorization
header of 'Basic bW9ydHk6cGlja2xl' will display the users. Anything else and
you'll get a 401 status code back.
Success:
Invoke-RestMethod -Uri http://localhost:8081/users-all -Method Post -Headers @{ Authorization = 'Basic bW9ydHk6cGlja2xl' }
Failure:
Invoke-RestMethod -Uri http://localhost:8081/users-all -Method Post -Headers @{ Authorization = 'Basic bW9ydHk6cmljaw==' }
.LINK
https://github.com/Badgerati/Pode/blob/develop/examples/Dot-SourceScript.ps1
.NOTES
Author: Pode Team
License: MIT License
#>
try {
# Determine the script path and Pode module path
$ScriptPath = (Split-Path -Parent -Path $MyInvocation.MyCommand.Path)
$podePath = Split-Path -Parent -Path $ScriptPath
# Import the Pode module from the source path if it exists, otherwise from installed modules
if (Test-Path -Path "$($podePath)/src/Pode.psm1" -PathType Leaf) {
Import-Module "$($podePath)/src/Pode.psm1" -Force -ErrorAction Stop
}
else {
Import-Module -Name 'Pode' -MaximumVersion 2.99 -ErrorAction Stop
}
}
catch { throw }
# or just:
# Import-Module Pode
# create a server, and start listening on port 8081
Start-PodeServer -Threads 2 {
# listen on localhost:8081
Add-PodeEndpoint -Address localhost -Port 8081 -Protocol Http
# setup RBAC
New-PodeAccessScheme -Type Role | Add-PodeAccess -Name 'TestRbac'
New-PodeAccessScheme -Type Group | Add-PodeAccess -Name 'TestGbac'
Merge-PodeAccess -Name 'TestMergedAll' -Access 'TestRbac', 'TestGbac' -Valid All
Merge-PodeAccess -Name 'TestMergedOne' -Access 'TestRbac', 'TestGbac' -Valid One
# setup basic auth (base64> username:password in header)
New-PodeAuthScheme -Basic -Realm 'Pode Example Page' | Add-PodeAuth -Name 'Validate' -Sessionless -ScriptBlock {
param($username, $password)
# here you'd check a real user storage, this is just for example
if ($username -eq 'morty' -and $password -eq 'pickle') {
return @{
User = @{
ID = 'M0R7Y302'
Name = 'Morty'
Type = 'Human'
Username = 'm.orty'
Roles = @('Developer')
Groups = @('Software', 'Admins')
CustomAccess = @{ Example = 'test-val-1' }
}
}
}
return @{ Message = 'Invalid details supplied' }
}
# Endware to output user auth state
Add-PodeEndware -ScriptBlock {
$WebEvent.Auth | Out-Default
}
# POST request to get list of users - there's no Access, so any auth'd user can access
Add-PodeRoute -Method Post -Path '/users-all' -Authentication 'Validate' -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Deep Thought'
}
)
}
}
# POST request to get list of users - only Developer roles can access
Add-PodeRoute -Method Post -Path '/users-dev' -Authentication 'Validate' -Access 'TestRbac' -Role Developer -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Leeroy Jenkins'
}
)
}
}
# POST request to get list of users - only QA roles can access
Add-PodeRoute -Method Post -Path '/users-qa' -Authentication 'Validate' -Access 'TestRbac' -Role QA -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Nikola Tesla'
}
)
}
}
# POST request to get list of users - only users in the SOftware group can access
Add-PodeRoute -Method Post -Path '/users-soft' -Authentication 'Validate' -Access 'TestGbac' -Group Software -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Smooth McGroove'
}
)
}
}
# POST request to get list of users - only Developer role in the Admins group can access
Add-PodeRoute -Method Post -Path '/users-dev-admin' -Authentication 'Validate' -Access 'TestMergedAll' -Role Developer -Group Admins -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Arthur Dent'
}
)
}
}
# POST request to get list of users - either DevOps role or Admins group can access
Add-PodeRoute -Method Post -Path '/users-devop-admin' -Authentication 'Validate' -Access 'TestMergedOne' -Role DevOps -Group Admins -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Monkey D. Luffy'
}
)
}
}
# POST request to get list of users - either QA role or Support group can access
Add-PodeRoute -Method Post -Path '/users-qa-support' -Authentication 'Validate' -Access 'TestMergedOne' -Role QA -Group Support -ScriptBlock {
Write-PodeJsonResponse -Value @{
Users = @(
@{
Name = 'Donald Duck'
}
)
}
}
}