Getting user details
You can get the details of the current user by sending the event com.apama.cumulocity.GetCurrentUser to com.apama.cumulocity.GetCurrentUser.SEND_CHANNEL. This results in events of type com.apama.cumulocity.GetCurrentUserResponse being returned on com.apama.cumulocity.GetCurrentUserResponse.SUBSCRIBE_CHANNEL.
The com.apama.cumulocity.GetCurrentUserResponse returned contains a com.apama.cumulocity.CurrentUser event, which in turn contains the id of the user, the userName, a sequence of effectiveRoles for the user and a dictionary of userOptions.
By default, this is the user which the Apama application is running as. This is either the user configured in the Cumulocity IoT connection if it is not running within Cumulocity IoT or the service user of the microservice if it is running in Cumulocity IoT.
The ability to request details of permissions for another user can be done by overriding the authorization or cookies headers in the com.apama.cumulocity.GetCurrentUser event. This would normally be used if you are taking the authentication details from a request to your application and using them to determine the roles that user has.
Example - checking a user based on information in a received request:
/** Event containing extracted information retrieved from a
* http request where we want to check the validity of the user */
event ActionRequest {
string authorization;
string actionToTake;
string requestId;
string channel;
}
/** Response for the HTTP request */
event ActionResponse {
string requestId;
string actionResult;
}
/** Response if authorization failed */
event ActionNotAllowed {
string requestId;
}
...
monitor.subscribe(GetCurrentUserResponse.SUBSCRIBE_CHANNEL);
// Listen for incoming HTTP requests
on all ActionRequest() as ar {
integer reqId := com.apama.cumulocity.Util.generateReqId();
// Send a request to check the user from the incoming request
GetCurrentUser checkUser := new GetCurrentUser;
checkUser.reqId := reqId;
checkUser.authorization := ar.authorization;
send checkUser to GetCurrentUser.SEND_CHANNEL;
// if authentication passed, check authorization
on GetCurrentUserResponse(reqId=reqId) as res and not
GetCurrentUserResponseFailed(reqId=reqId) {
if checkHasRoles("ActionAllowed", res.user.effectiveRoles) {
send ActionResponse(ar.requestId, performAction(ar.actionToTake))
to ar.channel;
} else {
send ActionNotAllowed(ar.requestId) to ar.channel;
}
}
// if authentication failed, return an error
on GetCurrentUserResponseFailed(reqId=reqId) as err and not
GetCurrentUserResponse(reqId=reqId) {
send ActionNotAllowed(ar.requestId) to ar.channel;
}
}
action performAction(string actiontoTake) returns string{
// do some action
return "";
}
action checkHasRoles(string role,sequence<Role> effectiveRoles) returns boolean {
Role r;
for r in effectiveRoles {
if r.id = role{
return true;
}
}
return false;
}
}
You can override the current user in one of the following ways:
By setting the
authorization header of the other user. This would be used for basic authentication and returns details of that other user.
If this is invalid, then GetCurrentUserResponseFailed is returned.
By setting both
authCookie and
xsrfToken to valid values for another user. This returns details of that other user.
If either authCookie or xsrfToken are incorrect or not set, then GetCurrentUserResponseFailed is returned.
Not setting all of
authorization,
authCookie or
xsrfToken returns details of the current user.