8. EPMO Open Source Coordination Office Redaction File Detail Report

Produced by Araxis Merge on 4/5/2017 4:21:38 PM Central Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.

8.1 Files compared

#	Location	File	Last Modified
1	C:\working_scrub\Unredacted\Direct Code Base\DSM_Bld2_Source_Code_CIF_2017-02-14\api_build02-sprint01\application\views\api\onboarding\services	directory_search.php	Fri Oct 21 18:34:06 2016 UTC
2	eHX-CIF.zip\eHX-CIF\Direct Code Base\DSM_Bld2_Source_Code_CIF_2017-02-14\api_build02-sprint01\application\views\api\onboarding\services	directory_search.php	Mon Apr 3 13:54:45 2017 UTC

8.2 Comparison summary

Description	Between Files 1 and 2
Description	Text Blocks	Lines
Unchanged	2	216
Changed	1	2
Inserted	0	0
Removed	0	0

8.3 Comparison options

Whitespace
Character case	Differences in character case are significant
Line endings	Differences in line endings (`CR` and `LF` characters) are ignored
CR/LF characters	Not shown in the comparison detail

8.4 Active regular expressions

No regular expressions were active.

8.5 Comparison detail

	1	<?php
	2	/**
	3	* @packag e direct-a s-a-servic e
	4	* @subpac kage views
	5	* @fileso urce
	6	/ /* */
	7
	8	$this->loa d->view('a pi/header' );
	9	$this->loa d->view('a pi/nav');
	10	?>
	11	<h1><a hre f="/onboar ding/docum entation/" class="un derline">D ocumentati on</a> &ra rr; /direc t/addresse s - GET</h 1>
	12	<p>
	13	The di rectory se arch web s ervice all ows author ized appli cations to retrieve directory informatio n and can be accesse d by sendi ng a GET r equest to /direct/ad dresses.
	14	</p>
	15	<h3>Authen tication</ h3>
	16	<p>
	17	The AP I authenti cation uti lized is b ased upon hash messa ge authent ication co de (HMAC). HMAC is a n authenti cation met hod that c ombines a cryptograp hic hash f unction wi th a secre t cryptogr aphic key. After the successfu l registra tion of an applicati on on the API, a pub lic and pr ivate key like the e xample bel ow will be provision ed for its use.
	18	</p>
	19	<p class=" code">
	20	Public Key: eca4 15a13daaec 88cabba68b 81a2149c97 800864acd9 ef0e15b5b8 426de2464d
	21	<br/>P rivate Key : 0097cd10 9a3b72df1f 988e4a6e3e 344ecc02cd ab9a03736b c12463b7d1 b889a8
	22	</p>
	23	<p>
	24	On eve ry request that an a pplication sends to the API th ey must in clude an A uthorizati on header. The autho rization h eader is a string th at the API will util ize to con firm the i dentity, a nd the mes sage conte nt, of the sender. T he authori zation hea der consis ts of thre e parts. T he first p art is the API ident ifier, rep resented b y the word "DAAS", w hich stand s for Dire ct as a Se rvice. The API ident ifier is f ollowed by a space t hat separa tes it fro m the iden tifying co ntent. The identifyi ng content consists of the uni que public key and t he base64 encoded HM AC hash ge nerated by the reque st content and the p rivate key , delimite d by a col on. An exa mple of th e authoriz ation head er is belo w.
	25	</p>
	26	<p class=" code">
	27	Author ization: D AAS eca415 a13daaec88 cabba68b81 a2149c9780 0864acd9ef 0e15b5b842 6de2464d: Y2UwOTMwNG RmYzhlNTQ0 YTZiODlmMD kwYWQzOWY1 ODZmNzI4OT E5NTc3ZTYy YWE2M2EwNT hlMGIzMTZk ZTZlZA==
	28	</p>
	29	<p>
	30	The HM AC string is generat ed by runn ing an HMA C hash fun ction on a plain tex t string a nd the app lication's private k ey. The pl ain text s tring that must be h ashed usin g HMAC is constructe d as follo ws:
	31	<ul>
	32	<li>HT TP Request Type</li>
	33	<li>Da te</li>
	34	<li>Co ntent-MD5 (Optional) </li>
	35	<li>UR I</li>
	36	</ul>
	37	These valu es are sep arated by new line c haracters ("\n"). An example o f the plai n text str ing is bel ow:
	38	</p>
	39	<p class=" code">
	40	GET\n0 6/03/2013 12:13:56 E ST\niB94ga wbwUSiZy5F uruIOQ==\n /direct/ad dresses/fo rmat/json? search=tes tuser1
	41	</p>
	42	<p>
	43	The st ring above is hashed with the applicatio n's privat e key usin g the SHA- 256 algori thm. A sni ppet of Ja vaScript c ode showin g an examp le of this is shown below:
	44	</p>
	45	<p class=" code">
	46	var ha shString = CryptoJS. HmacSHA256 ("GET\n06/ 03/2013 12 :13:56 EDT \niB94gawb wUSiZy5Fur uIOQ==\n/d irect/addr esses/form at/json?se arch=testu ser1","009 7cd109a3b7 2df1f988e4 a6e3e344ec c02cdab9a0 3736bc1246 3b7d1b889a 8");
	47	<br/>v ar base64 = encode64 (""+hashSt ring);
	48	<br/>v ar authori zation = " DAAS eca41 5a13daaec8 8cabba68b8 1a2149c978 00864acd9e f0e15b5b84 26de2464d: "+base64;
	49	</p>
	50	<p>
	51	In the example a bove the C ontent MD5 is provid ed but thi s is an op tional fie ld. If the Content M D5 header is not spe cified the n the hash should no t have the MD5 speci fied eithe r.
	52	</p>
	53	<h3>Header s</h3>
	54	<div class ="column">
	55	<div c lass="left ">
	56	<u l>
	57	<li>Auth orization< /li>
	58	<p>
	59	The first requ ired heade r is the A uthorizati on header covered in the Authe ntication section at the top o f this pag e.
	60	</p>
	61	<li>Date or X-Daas -Date</li> h2
	62	<p>
	63	Some browsers will not l et an appl ication sp ecify the Date heade r programm atically, so in this case it i s also acc eptable to use the X -Daas-Date header as the API w ill interp ret them i nterchange ably. This header sh ould be po pulated wi th the cur rent date and time, in any sta ndard form at (includ ing time z one inform ation if n ot time zo ne agnosti c), when t he GET req uest is su bmitted. T he value s upplied in the Date header mus t match th e value us ed in the creation o f the hash string fo r the Auth orization header.
	64	</p>
	65	</ ul>
	66	</div>
	67	<div c lass="righ t">
	68	<u l>
	69	<li>Cont ent-Md5</l i>
	70	<p>
	71	The optional h eader is t he Content -Md5 heade r. This he ader shoul d contain an MD5 has h of the G ET query s tring. If this heade r is speci fied then it must al so be incl uded in th e hash str ing for th e authoriz ation head er. This e xtra secur ity measur e is not t ypically n ecessary f or GET req uests; how ever, the option is available so that th e paramete rs sent in the GET r equest can be valida ted by the API as no t having b een tamper ed with in transit.
	72	</p>
	73	</ ul>
	74	</div>
	75	</div>
	76	<h3>Argume nts</h3>
	77	<ul>
	78	<li>Se arch</li>
	79	<p>
	80	Th is is an o ptional fi eld; the i nput will be used to search ag ainst all available contacts i n the dire ctory. Inp ut will be compared against na me, Direct address, and facili ty. If thi s field is not provi ded, an un filtered l ist of all contacts will be pr ovided.
	81	</p>
	82	</ul>
	83	<h3>Exampl e Response </h3>
	84	<ul>
	85	<li>Su ccess</li>
	86	<ul>
	87	<li>HTTP-2 00, {"requ est_id":"7 2494","con tacts":[{" displaynam e":"User, Test","mai l":"testus er12345678 9@dev.dire ct. DNS ","uid":"t estuser123 456789","g ivenname": "Test","sn ":"User"," cn":"Test User","fac ility":"VA Test Faci lity"}],"c ount":1}
	88	</ li>
	89	</ul>
	90	<li>Er ror</li>
	91	<ul>
	92	<l i>
	93	HTTP-401 , Â {"requ est_id":"2 ", "messag e": "Acces s Denied. Authentica tion Faile d."}
	94	</ li>
	95	<l i>
	96	HTTP-500 , {"reques t_id":"5", "message": " Search F ailed due to Interna l Error."}
	97	</ li>
	98
	99	</ul>
	100	</ul>
	101	<h3>Sample Code</h3>
	102	<p>
	103	Please click <a href="/onb oarding/do cumentatio n/validate _example"> here</a> t o be taken to some s ample code snippets for the va lidate web service.
	104	</p>
	105	</div>
	106	<?PHP $thi s->load->v iew('api/f ooter'); ? >
	107	</div>
	108	</body>
	109	</html>