Rule Configuration - wklausing/ApolloACPlugin GitHub Wiki
Rules can be configured in rules.json which consists of a JSON array with each JSON object being a seperate rule. Rules can be differentiated by category: header (Header-based access control) and purpose (Purpose-based access control). Below you can see the overall structure of each rule category and at least one example for each rule.
Verify the request via request header
{
"field": <String/String_Array>,
"category": "header",
"operation": <Operation>,
"compare": <String>,
"value": <String/String_Array>,,
"error": <Error_Handling>*,
"policy": <Allow/Deny>*
}| Attribute | Description |
|---|---|
| field | which field this rule applies to , "*" for all fields |
| operation | use one of the following [CONTAINS, EQUAL, UNEQUAL, GREATER, LESS, GEQ, LEQ] |
| compare | which header attribute needs to be checked |
| value | the value the header attribute needs to have based on operation. if operation == CONTAINS, the header attribute needs to contain the given value. If it is an array, the header attribute needs to contain one of the given values. |
| error* | optional argument, on default: EMPTYSTRING . Possible arguments: EMPTYSTRING (replace field value with an empty string), DELETE (deletes the field completely) FORBIDDEN (throws a forbidden at the user) |
| policy* | optional argument, on default: "allow" which means that the rule only allows access to the given field if the conditions are met. "deny" would do the opposite (prohibiting access to the field). |
{
"field": "TrackerDistance",
"category": "header",
"operation": "CONTAINS",
"compare": "user-agent",
"value": "Chrome",
"policy": "deny"
}This HeaderRule would display an empty string in the "TrackerDistance" field if the user-agent of the request contain "Chrome".
Verify the request via given purpose
{
"field": <String/String_Array>,,
"category": "purpose",
"purpose": <String/String_Array>,,
"exception": <String/String_Array>,
"error": <ErrorHandling>*,
"policy": <Allow/Deny>*
}| Attribute | Description |
|---|---|
| purpose | The purpose(s) and everything beneath it that are allowed for the field |
| exception | If a purpose beneath the given purpose isn't allowed to see the field |
Other attribute explainations can be seen in the "Header Access Control" chapter above.
{
"field": "TotalSteps",
"category": "purpose",
"purpose": "health",
"exception": "prescriptive sleep analytics",
"error": "delete"
}This PurposeRule would delete the field "TotalSteps" if the stated purpose wasn't health or anything beneath it. "Prescriptive sleep analytics" is the only exception to that rule.
{
"field": "TotalSteps",
"category": "purpose",
"purpose": "health",
"exception": "prescriptive sleep analytics",
"error": "delete",
"policy": "deny"
}This PurposeRule would delete the field "TotalSteps" if the stated purpose was health or anything beneath it. "Prescriptive sleep analytics" is the only exception to that rule.