MTSWebServices · annamikhailovapsk · Mar 23, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 17, 2026
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -39,7 +39,7 @@ security-scan:
     APPSECHUB_PARENT_PIPELINE_ID: $CI_PIPELINE_ID
     APPSECHUB_SCA_SBOM_GENERATOR: custom
     APPSECHUB_SBOM_PATH: sbom.cyclonedx.json
-    APPSECHUB_SBOM_MASK: "*bom*.json"
+    APPSECHUB_SBOM_MASK: '*bom*.json'
     CUSTOM_SBOM_GENERATOR_JOB_NAME: sbom-creation
   rules:
     - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

diff --git a/mddocs/_static/custom.css b/mddocs/_static/custom.css
@@ -0,0 +1,3 @@
+.logo {
+  width: 200px !important;
+}
diff --git a/mddocs/_static/icon.svg b/mddocs/_static/icon.svg
diff --git a/mddocs/_static/logo.svg b/mddocs/_static/logo.svg
diff --git a/mddocs/_static/logo_no_title.svg b/mddocs/_static/logo_no_title.svg
diff --git a/mddocs/_static/metrics.prom b/mddocs/_static/metrics.prom
@@ -0,0 +1 @@
+# Generated in CI
diff --git a/mddocs/_static/openapi.json b/mddocs/_static/openapi.json
@@ -0,0 +1,9 @@
+{
+  "openapi": "3.1.0",
+  "version": "unknown",
+  "info": {
+    "title": "Generated in CI",
+    "version": "unknown"
+  },
+  "paths": {}
+}
diff --git a/mddocs/_static/redoc.html b/mddocs/_static/redoc.html
@@ -0,0 +1,28 @@
+
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Horizon - ReDoc</title>
+    <!-- needed for adaptive design -->
+    <meta charset="utf-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <link rel="shortcut icon" href="../_static/icon.svg">
+    <!--
+    ReDoc doesn't change outer page styles
+    -->
+    <style>
+      body {
+        margin: 0;
+        padding: 0;
+      }
+    </style>
+  </head>
+  <body>
+    <noscript>
+        ReDoc requires Javascript to function. Please enable it to browse the documentation.
+    </noscript>
+    <redoc spec-url="../_static/openapi.json"></redoc>
+    <script src="https://cdn.jsdelivr.net/npm/redoc@next/bundles/redoc.standalone.js"></script>
+  </body>
+</html>
diff --git a/mddocs/_static/stats.prom b/mddocs/_static/stats.prom
@@ -0,0 +1 @@
+# Generated in CI
diff --git a/mddocs/_static/swagger.html b/mddocs/_static/swagger.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta
+    name="description"
+    content="SwaggerUI"
+  />
+  <title>SwaggerUI</title>
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css" />
+  <link rel="shortcut icon" href="../_static/icon.svg">
+</head>
+<body>
+  <div id="swagger-ui"></div>
+  <script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui-bundle.js" crossorigin></script>
+  <script>
+    window.onload = () => {
+      window.ui = SwaggerUIBundle({
+        url: '../_static/openapi.json',
+        dom_id: '#swagger-ui',
+      });
+    };
+  </script>
+</body>
+</html>
diff --git a/mddocs/backend/architecture.md b/mddocs/backend/architecture.md
@@ -0,0 +1,8 @@
+# Architecture { #backend-architecture }
+
+```mermaid
+stateDiagram-v2
+[User] --> [RESTAPI]
+[RESTAPI] --> [Database]
+[RESTAPI] --> [LDAP]
+```
diff --git a/mddocs/backend/auth/cached_ldap.md b/mddocs/backend/auth/cached_ldap.md
@@ -0,0 +1,107 @@
+# LDAP Cached Auth provider { #backend-auth-ldap-cached }
+
+## Description { #cached_ldap-description }
+
+Same as [LDAP Auth provider][backend-auth-ldap-cached], but if LDAP request for checking user credentials was successful,
+credentials are stored in local cache (table in internal database, in form `login` + `hash(password)` + `update timestamp`).
+
+Next auth requests for the same login are performed against this cache **first**. LDAP requests are send *only* if cache have been expired.
+
+This allows to:
+
+- Bypass errors with LDAP availability, e.g. network errors
+- Reduce number of requests made to LDAP.
+
+Downsides:
+
+- If user changed password, and cache is not expired yet, user may still log in with old credentials.
+- Same if user was blocked in LDAP.
+
+## Interaction schema { #cached_ldap-interaction-schema }
+
+```mermaid
+sequenceDiagram
+participant "Client"
+participant "Backend"
+participant "LDAP"
+
+activate "Client"
+alt First time auth | Empty cache | Cache expired
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : No items found or item expired, using LDAP
+"Backend" ->> "Backend" : DN = bind_dn_template(login)
+"Backend" ->> "LDAP"  : Call bind(DN, password)
+"LDAP" ->> "Backend" : Successful
+"Backend" ->> "Backend" : Check user in internal backend database,\nusername = login
+"Backend" ->> "Backend" : Create user if not exist
+"Backend" ->> "Backend" : Save credentials to cache
+"Backend" ->> "Client"  : Generate and return access_token
+
+else Using cache, LDAP is totally ignored
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : Found credentials, check for expiration
+"Backend" ->> "Backend" : Not expired, validate password is matching hash
+"Backend" ->> "Backend" : Password match, not calling LDAP
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" ->> "Backend" : Create user if not exist
+"Backend" ->> "Client"  : Generate and return access_token
+
+else Password mismatch with cache, LDAP is totally ignored
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : Found credentials, check for expiration
+"Backend" ->> "Backend" : Not expired, validate password is matching hash
+"Backend" ->> "Backend" : Password do not match local cache
+"Backend" --x "Client"  : 401 Unauthorized
+
+else No cache or cache expired, LDAP is unavailable
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : No items found or item expired, using LDAP
+"Backend" ->> "Backend" : DN = bind_dn_template(login)
+"Backend" --x "LDAP" : Call bind(DN, password)
+"Backend" --x "Client"  : 503 Service unavailable
+
+else
+Note right of "Client" : Other cases are same as for LDAPAuthProvider,\nlike lookup, blocked/deleted users
+end
+
+alt Successful case
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" ->> "Backend" : Get data
+"Backend" ->> "Client"  : Return data
+
+else Token is expired
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" --x "Client"  : 401 Unauthorized
+
+else User is blocked
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" --x "Client"  : 401 Unauthorized
+
+else User is deleted
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" --x "Client"  : 404 Not found
+end
+
+deactivate "Client"
+```
+
+## Configuration { #cached_ldap-configuration }
+
+Other settings are just the same as for `LDAPAuthProvider`
+
+::: horizon.backend.settings.auth.cached_ldap.CachedLDAPAuthProviderSettings
+
+::: horizon.backend.settings.auth.cached_ldap.LDAPCacheSettings
+
+::: horizon.backend.settings.auth.cached_ldap.LDAPCachePasswordHashSettings
diff --git a/mddocs/backend/auth/custom.md b/mddocs/backend/auth/custom.md
@@ -0,0 +1,5 @@
+# Custom Auth provider { #backend-auth-custom }
+
+You can implement custom auth provider by inheriting from class below and implementing necessary methods.
+
+::: horizon.backend.providers.auth.AuthProvider
diff --git a/mddocs/backend/auth/dummy.md b/mddocs/backend/auth/dummy.md
@@ -0,0 +1,68 @@
+# Dummy Auth provider { #backend-auth-dummy }
+
+## Description { #dummy-description }
+
+This auth provider allows to sign-in with any username and password, and and then issues an access token.
+
+After successful auth, username is saved to backend database. It is then used for creating audit records for any object change, see `changed_by` field.
+
+## Interaction schema { #dummy-interaction-schema }
+
+```mermaid
+sequenceDiagram
+participant "Client"
+participant "Backend"
+
+activate "Client"
+alt Successful case
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Password is completely ignored
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" ->> "Backend" : Create user if not exist
+"Backend" ->> "Client"  : Generate and return access_token
+
+else User is blocked
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Password is completely ignored
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" --x "Client"  : 401 Unauthorized
+
+else User is deleted
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Password is completely ignored
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" --x "Client"  : 404 Not found
+end
+
+alt Successful case
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" ->> "Backend" : Get data
+"Backend" ->> "Client"  : Return data
+
+else Token is expired
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" --x "Client"  : 401 Unauthorized
+
+else User is blocked
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+
+else
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" --x "Client"  : 404 Not found
+end
+
+deactivate "Client"
+```
+
+## Configuration { #dummy-configuration }
+
+::: horizon.backend.settings.auth.dummy.DummyAuthProviderSettings
+
+::: horizon.backend.settings.auth.jwt.JWTSettings
diff --git a/mddocs/backend/auth/index.md b/mddocs/backend/auth/index.md
@@ -0,0 +1,26 @@
+# Auth Providers { #backend-auth-providers }
+
+Horizon supports different auth provider implementations. You can change implementation via settings:
+
+::: horizon.backend.settings.auth.AuthSettings
+
+## Auth providers
+
+* [Dummy Auth provider][backend-auth-dummy]
+  * [Description][dummy-description]
+  * [Interaction schema][dummy-interaction-schema]
+  * [Configuration][dummy-configuration]
+* [LDAP Auth provider][backend-auth-ldap]
+  * [Description][ldap-description]
+  * [Strategies][ldap-strategies]
+  * [Interaction schema][ldap-interaction-schema]
+  * [Basic configuration][ldap-basic-configuration]
+  * [Lookup-related configuration][ldap-lookup-related-configuration]
+* [LDAP Cached Auth provider][backend-auth-ldap-cached]
+  * [Description][cached_ldap-description]
+  * [Interaction schema][cached_ldap-interaction-schema]
+  * [Configuration][cached_ldap-configuration]
+
+## For developers
+
+* [Custom Auth provider][backend-auth-custom]