Merge pull request #44 from Software-Hardware-Integration-Lab/susdocs

Initial SHI - URL Shortener documentation. More to come!

Author: elliot-huffman

docs/URL-Shortener/Getting-Started.md

@@ -0,0 +1,7 @@
+# Getting Started
+
+This page outlines how to deploy SUS.
+
+## Steps
+
+Coming soon!

docs/URL-Shortener/Prerequisites/Authorization-&-RBAC.md

@@ -0,0 +1,15 @@
+# Authorization & RBAC
+
+The service expects upstream authentication (e.g., bearer token from Entra ID). These permissions are app roles defined on the ```End User Login``` app registration.
+
+Elevated (Privileged) User Permissions:
+
+| Scope Value             | Description |
+|-------------------------|-------------|
+| Everything.ReadWrite.All | Grants the principal the ability to read and write everything in SUS. This role is designed for moderation of all links created by all users as by default only the creating user has access to the link. This role can also be used as break glass access. This is a highly privileged role and should not be used normally. Please use the fine-grained roles where possible. |
+| Redirect.ReadWrite.All  | Create, read, update and delete all URL redirects. Bypasses any RBAC and lets you see everything (no constraints). Do not use this for general access, please use the built-in RBAC. This is meant for automation and privileged admin/access. |
+| Domain.ReadWrite.All    | Create, read, update and delete items from the list of domains allowed to be used for vanity URLs. Bypasses any RBAC and lets you see everything (no constraints). Do not use this for general access, please use the built-in RBAC. This is meant for automation and privileged admin/access. |
+| BanList.ReadWrite.All   | Create, read, update and delete items on the banned term list. Bypasses any RBAC and lets you see everything (no constraints). Do not use this for general access, please use the built-in RBAC. This is meant for automation and privileged admin/access. |
+| Rbac.ReadWrite.All      | Create, read, update and delete RBAC Assignments. Bypasses any RBAC and lets you see everything (no constraints). Do not use this for general access, please use the built-in RBAC. This is meant for automation and privileged admin/access. |
+
+RBAC assignments are available to allow dynamic delegation without full superuser elevation.

docs/URL-Shortener/Prerequisites/Graph-API-Permissions.md

@@ -0,0 +1,20 @@
+# Required Permissions
+
+The application is broken up into two parts, the server and the end user experience. The server has permissions granted to it so that it can validate the incoming data. The end user experience has permissions so that the end user is able to provide IDs to the server for user and group assignments.
+
+## Server - Service Principal
+
+The following Entra ID Service Principal permissions are required to run the service. These are mandatory at all times.
+
+| Graph API Permission| Permission Type |Description                                                                 |
+|--------------------------------------------------------------------------------------|-----------------|-----------------------------------------------------------------------------|
+| [`Group.Read.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#groupreadall){:target="_blank"} | Application     | Used to validate group Object IDs provided as part of an RBAC assignment.  |
+| [`User.Read.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#userreadall){:target="_blank"} | Application     | Used to retrieve user's transitive group membership list for RBAC assignment validation. |
+
+## End User Auth - Service Principal
+
+| Graph API Permission                                                                 | Permission Type | Description                                                                 |
+|--------------------------------------------------------------------------------------|-----------------|-----------------------------------------------------------------------------|
+| [`profile`](https://learn.microsoft.com/en-us/graph/permissions-reference#profile){:target="_blank"} | Delegated       | Used to authenticate the end user.                                          |
+| [`User.Read.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#userreadall){:target="_blank"} | Delegated       | Used to authenticate the end user and retrieve their profile picture.       |
+| [`Group.Read.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#groupreadall){:target="_blank"} | Delegated       | Used to retrieve the list of groups that can be assigned in an RBAC assignment. |

docs/URL-Shortener/Prerequisites/index.md

@@ -0,0 +1,14 @@
+## System Requirements
+
+### Hosting Environment
+
+- **Platform**: Azure App Service  
+- **Runtime**: Node.js 22 LTS (or latest stable version)  
+- **Deployment Mode**: Code deploy mode  
+- **Identity Configuration**:  
+    - **System-assigned Managed Identity**: Must be enabled  
+    - This identity will be used to authenticate against Microsoft Graph API for identity-aware redirection and access control.
+
+---
+
+The application is broken up into two parts, the server and the end user experience. The server has permissions granted to it so that it can validate the incoming data. The end user experience has permissions so that the end user is able to provide IDs to the server for user and group assignments.

docs/URL-Shortener/Reference/Development/OpenAPI.md

@@ -0,0 +1,9 @@
+# OpenAPI Specification
+
+The SUS service is documented using the OpenAPI version 3 specification format. This ensures seamless integration with automation tools, SDK generators, and client libraries.
+
+All concrete route definitions, schemas, and status codes are maintained in the OpenAPI spec, which serves as the authoritative source for the HTTP surface.
+
+Spec Location:
+<https://specs.shilab.com/>
+Please reach out to the SHI Lab team for guidance on best practices, integration support, and usage recommendations.

docs/URL-Shortener/Reference/Development/Server-Setup.md

@@ -0,0 +1,9 @@
+This section describes setting up a production instance of the URL redirect server.
+
+Deploy the bicep template (urlShortener.bicep) found in the ./infrastructureTemplates folder. To deploy the template, you will need the Entra ID Cloud Application Administrator role or higher.
+
+How to deploy bicep templates:
+```https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/deploy-powershell```
+
+If you want to set this up on-prem or in a different environment, please refer to the configurations in the bicep template for infra specific configurations. If you wish to not authenticate with a managed identity, please see here for alternate authentication configurations:
+```https://www.npmjs.com/package/@azure/identity#environment-variables```

docs/URL-Shortener/Reference/Settings/Environment-Variables-Reference.md

@@ -0,0 +1,95 @@
+# Environmental Variable Reference
+
+Environmental variables are used to configure core behaviors/configurations of the server software.
+
+The configurations are exposed as environmental variables rather than config files or registry keys to provide maximum support for wherever the server is hosted.
+Config files don't work well in serverless environments where the state should not change, and the registry is only available on Windows.
+Serverless, Windows, and Linux all share a common option: Environmental Variables. This works equally well across all of them.
+
+Below is a list of all environmental variable configurations that the server can use. There are data format examples and descriptions so that you are not going blind to what a config can look like and does.
+
+The title of the section is the name of the environmental variable.
+
+For authentication configuration, please see here for more environmental variables that are supported by SUS via the Microsoft Authentication Library for Node.JS [@azure/identity](https://www.npmjs.com/package/@azure/identity#environment-variables){:target="_blank"}.
+
+---
+
+## `SUS_TenantId`
+
+- Mandatory: `true`
+- Expected string format: GUID
+- Allowed values: GUID
+- Default Value: `00000000-0000-0000-0000-000000000000`
+- Description: Tenant ID of the tenant that the app considers home/authenticates to. Defaults to NULL if not defined and should be overridden during authentication engine start.
+
+## `SUS_DB_Host`
+
+- Mandatory: `false`
+- Expected string format: string
+- Allowed values: string
+- Default Value: `localhost`
+- Description: Host name of the Azure SQL DB that should be used for storing simple data.
+
+## `SUS_DB_Name`
+
+- Mandatory: `false`
+- Expected string format: string
+- Allowed values: string
+- Default Value: `UrlShortener`
+- Description: Name of the DB to access and use for relational data storage. This is necessary for Azure SQL DBs as the DB has to be created ahead of time and shouldn't be created inline as a best practice.
+
+## `SUS_Debug`
+
+- Mandatory: `false`
+- Expected string format: boolean
+- Allowed values: true
+- Default Value: `false`
+- Description: Flag that indicates if the API service should be in debug mode.
+
+## `SUS_Headless`
+
+- Mandatory: `false`
+- Expected string format: boolean
+- Allowed values: true
+- Default Value: `false`
+- Description: Flag that indicates the system should run with no user interface render.
+
+## `SUS_LocalDb`
+
+- Mandatory: `false`
+- Expected string format: boolean
+- Allowed values: true
+- Default Value: `false`
+- Description: Flag that indicates the SQLite should be used for the ORM. All other functions are untouched.
+
+## `SUS_Local`
+
+- Mandatory: `false`
+- Expected string format: boolean
+- Allowed values: true
+- Default Value: `false`
+- Description: Flag that controls if the server should run with local resources only. This uses SQLite and prevents external resource calls allowing for a true local only execution experience.
+
+## `SUS_DefaultTarget`
+
+- Mandatory: `false`
+- Expected string format: URL
+- Allowed values: URL
+- Default Value: `https://shi.com`
+- Description: Location that the service will redirect to if a match is not found.
+
+## `SUS_AuthAudience`
+
+- Mandatory: `true`
+- Expected string format: GUID
+- Allowed values: GUID
+- Default Value: `00000000-0000-0000-0000-000000000000`
+- Description: Application ID of the app registration to use as the audience value in the access token validation. Not mandatory if in debug mode as auth is not enforced in debug mode.
+
+## `SUS_Test`
+
+- Mandatory: `false`
+- Expected string format: boolean
+- Allowed values: true
+- Default Value: `false`
+- Description: Flag that indicates if the application should have special behavior based on if the system is running through automated QA.

docs/URL-Shortener/Usage-Guide.md

@@ -0,0 +1,3 @@
+# Usage Guide
+
+This guide explains how to operate SUS once it's been deployed. It covers core Redirect URL creation, RBAC Assignments, Domain Configuration, Banned Terms, and links to detailed task-level workflows.

docs/URL-Shortener/index.md

@@ -0,0 +1,27 @@
+# URL Shortener
+
+## Overview
+
+The **SHI - URL Shortener (SUS)** is a security-focused, privacy respecting, compliance-ready URL redirection service. SUS provides controlled creation and management of short URLs, delegated administration through RBAC, strong input validation, and guardrails to prevent misuse (e.g., banned terms, domain scoping).
+
+## Audience
+
+This documentation is primarily intended for technical users who are responsible for deploying, configuring, and maintaining the URL Shortener service within customer environments. While the content is geared toward technical implementation, it is written to be accessible to non-technical stakeholders as well.
+
+## SUS in the Security Landscape
+
+- Zero trust: Every request re‑validated (types, UUID formats, filter shapes).
+- Strong runtime validation: Uses structural equality/type guards to reject malformed inputs early (400).
+- Principle of least privilege: Distinct scopes required for privileged sets (e.g., domain & ban list modifications).
+- Protective lists: Banned terms and controlled domains for fine grained control over what is created by end users.
+- Separation of concerns: Routing layer delegates business logic to a Redirect Engine singleton.
+- Minimal disclosure: Nonexistent management records yield 404 without leaking broader state.
+- Auditable mutation points: Create/Update/Delete paths are centralized for logging.
+
+## Prerequisites
+
+Check out this page for more details: [Getting Started - Prerequisites](Prerequisites/index.md)
+
+## Summary
+
+In the rest of the documentation, we will provide detailed instructions on how to install, configure, and use SUS to achieve these benefits.

docs/assets/Styles/common.css

@@ -1,3 +1,16 @@
+.susIcon {
+    /* Detaches the icon from being dependant on other HTML elements for its render. */
+    display: inline-block;
+    /* Size of the icon to be rendered. */
+    font-size: 1.5em;
+    /* Prevent the line from getting larger as the icon does. */
+    line-height: 1;
+    /* Prevent the line from getting larger as the icon does. */
+    height: 1em;
+    /* Ensure that the icon renders in the center of the line, equal with the following text. */
+    vertical-align: middle;
+}
+
 /* Light mode */
 [data-md-color-scheme="default"] {
     --md-default-bg-color: white;
@@ -25,4 +38,4 @@
 [data-md-color-scheme="slate"] .md-tooltip--active {
     color: black;
     background-color: white;
-}
+}