MTSWebServices · annamikhailovapsk · Mar 12, 2026 · Mar 12, 2026 · dolfinus · Mar 12, 2026
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -39,7 +39,7 @@ security-scan:
     APPSECHUB_PARENT_PIPELINE_ID: $CI_PIPELINE_ID
     APPSECHUB_SCA_SBOM_GENERATOR: custom
     APPSECHUB_SBOM_PATH: sbom.cyclonedx.json
-    APPSECHUB_SBOM_MASK: "*bom*.json"
+    APPSECHUB_SBOM_MASK: '*bom*.json'
     CUSTOM_SBOM_GENERATOR_JOB_NAME: sbom-creation
   rules:
     - if: $CI_COMMIT_REF_NAME == $CI_DEFAULT_BRANCH

diff --git a/mddocs/en/Makefile b/mddocs/en/Makefile
@@ -0,0 +1,20 @@
+# Minimal makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line, and also
+# from the environment for the first two.
+SPHINXOPTS    ?=
+SPHINXBUILD   ?= sphinx-build
+SOURCEDIR     = .
+BUILDDIR      = _build
+
+# Put it first so that "make" without argument is like "make help".
+help:
+	@$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
+
+.PHONY: help Makefile
+
+# Catch-all target: route all unknown targets to Sphinx using the new
+# "make mode" option.  $(O) is meant as a shortcut for $(SPHINXOPTS).
+%: Makefile
+	@$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O)
diff --git a/mddocs/en/_static/custom.css b/mddocs/en/_static/custom.css
@@ -0,0 +1,3 @@
+.logo {
+  width: 200px !important;
+}
diff --git a/mddocs/en/_static/icon.svg b/mddocs/en/_static/icon.svg
diff --git a/mddocs/en/_static/logo.svg b/mddocs/en/_static/logo.svg
diff --git a/mddocs/en/_static/logo_no_title.svg b/mddocs/en/_static/logo_no_title.svg
diff --git a/mddocs/en/_static/metrics.prom b/mddocs/en/_static/metrics.prom
@@ -0,0 +1 @@
+# Generated in CI
diff --git a/mddocs/en/_static/openapi.json b/mddocs/en/_static/openapi.json
@@ -0,0 +1,9 @@
+{
+  "openapi": "3.1.0",
+  "version": "unknown",
+  "info": {
+    "title": "Generated in CI",
+    "version": "unknown"
+  },
+  "paths": {}
+}
diff --git a/mddocs/en/_static/redoc.html b/mddocs/en/_static/redoc.html
@@ -0,0 +1,28 @@
+
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Horizon - ReDoc</title>
+    <!-- needed for adaptive design -->
+    <meta charset="utf-8"/>
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+
+    <link rel="shortcut icon" href="../_static/icon.svg">
+    <!--
+    ReDoc doesn't change outer page styles
+    -->
+    <style>
+      body {
+        margin: 0;
+        padding: 0;
+      }
+    </style>
+  </head>
+  <body>
+    <noscript>
+        ReDoc requires Javascript to function. Please enable it to browse the documentation.
+    </noscript>
+    <redoc spec-url="../_static/openapi.json"></redoc>
+    <script src="https://cdn.jsdelivr.net/npm/redoc@next/bundles/redoc.standalone.js"></script>
+  </body>
+</html>
diff --git a/mddocs/en/_static/stats.prom b/mddocs/en/_static/stats.prom
@@ -0,0 +1 @@
+# Generated in CI
diff --git a/mddocs/en/_static/swagger.html b/mddocs/en/_static/swagger.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <meta
+    name="description"
+    content="SwaggerUI"
+  />
+  <title>SwaggerUI</title>
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui.css" />
+  <link rel="shortcut icon" href="../_static/icon.svg">
+</head>
+<body>
+  <div id="swagger-ui"></div>
+  <script src="https://cdn.jsdelivr.net/npm/swagger-ui-dist@5/swagger-ui-bundle.js" crossorigin></script>
+  <script>
+    window.onload = () => {
+      window.ui = SwaggerUIBundle({
+        url: '../_static/openapi.json',
+        dom_id: '#swagger-ui',
+      });
+    };
+  </script>
+</body>
+</html>
diff --git a/mddocs/en/backend/architecture.md b/mddocs/en/backend/architecture.md
@@ -0,0 +1,30 @@
+# Architecture { #backend-architecture }
+
+```plantuml
+
+    @startuml
+        title Backend artitecture
+        skinparam linetype polyline
+        left to right direction
+
+        actor "User"
+
+        frame "Horizon" {
+            component "REST API"
+            database "Database"
+        }
+
+        component "LDAP"
+
+        [User] --> [REST API]
+        [REST API] --> [Database]
+        [REST API] ..> [LDAP]
+    @enduml
+```
+
+```mermaid
+stateDiagram-v2
+[User] --> [RESTAPI]
+[RESTAPI] --> [Database]
+[RESTAPI] --> [LDAP]
+```
diff --git a/mddocs/en/backend/auth/cached_ldap.md b/mddocs/en/backend/auth/cached_ldap.md
@@ -0,0 +1,172 @@
+# LDAP Cached Auth provider { #backend-auth-ldap-cached }
+
+## Description { #cached_ldap-description }
+
+Same as [LDAP Auth provider][backend-auth-ldap-cached], but if LDAP request for checking user credentials was successful,
+credentials are stored in local cache (table in internal database, in form `login` + `hash(password)` + `update timestamp`).
+
+Next auth requests for the same login are performed against this cache **first**. LDAP requests are send *only* if cache have been expired.
+
+This allows to:
+
+- Bypass errors with LDAP availability, e.g. network errors
+- Reduce number of requests made to LDAP.
+
+Downsides:
+
+- If user changed password, and cache is not expired yet, user may still log in with old credentials.
+- Same if user was blocked in LDAP.
+
+## Interaction schema { #cached_ldap-interaction-schema }
+
+```plantuml
+
+        @startuml
+            title CachedLDAPAuthProvider
+            participant "Client"
+            participant "Backend"
+            participant "LDAP"
+
+            == POST v1/auth/token ==
+
+            activate "Client"
+            alt First time auth | Empty cache | Cache expired
+                "Client" -> "Backend" ++ : login + password
+                "Backend" --> "Backend" : Search for credentials cache by login
+                "Backend" --> "Backend" : No items found or item expired, using LDAP
+                "Backend" --> "Backend" : DN = bind_dn_template(login)
+                "Backend" -> "LDAP" ++ : Call bind(DN, password)
+                "LDAP" --[#green]> "Backend" -- : Successful
+                "Backend" --> "Backend" : Check user in internal backend database,\nusername = login
+                "Backend" -> "Backend" : Create user if not exist
+                "Backend" -> "Backend" : Save credentials to cache
+                "Backend" -[#green]> "Client" -- : Generate and return access_token
+
+            else Using cache, LDAP is totally ignored
+                "Client" -> "Backend" ++ : login + password
+                "Backend" --> "Backend" : Search for credentials cache by login
+                "Backend" --> "Backend" : Found credentials, check for expiration
+                "Backend" --> "Backend" : Not expired, validate password is matching hash
+                "Backend" --> "Backend" : Password match, not calling LDAP
+                "Backend" --> "Backend" : Check user in internal backend database
+                "Backend" -> "Backend" : Create user if not exist
+                "Backend" -[#green]> "Client" -- : Generate and return access_token
+
+            else Password mismatch with cache, LDAP is totally ignored
+                "Client" -> "Backend" ++ : login + password
+                "Backend" --> "Backend" : Search for credentials cache by login
+                "Backend" --> "Backend" : Found credentials, check for expiration
+                "Backend" --> "Backend" : Not expired, validate password is matching hash
+                "Backend" --> "Backend" : Password do not match local cache
+                "Backend" x-[#red]> "Client" -- : 401 Unauthorized
+
+            else No cache or cache expired, LDAP is unavailable
+                "Client" -> "Backend" ++ : login + password
+                "Backend" --> "Backend" : Search for credentials cache by login
+                "Backend" --> "Backend" : No items found or item expired, using LDAP
+                "Backend" --> "Backend" : DN = bind_dn_template(login)
+                "Backend" -[#red]>x "LDAP" : Call bind(DN, password)
+                "Backend" x-[#red]> "Client" -- : 503 Service unavailable
+
+            else
+                note right of "Client" : Other cases are same as for LDAPAuthProvider,\nlike lookup, blocked/deleted users
+            end
+
+            == GET v1/namespaces ==
+
+            alt Successful case
+                "Client" -> "Backend" ++ : access_token
+                "Backend" --> "Backend" : Validate token
+                "Backend" --> "Backend" : Check user in internal backend database
+                "Backend" -> "Backend" : Get data
+                "Backend" -[#green]> "Client" -- : Return data
+
+            else Token is expired
+                "Client" -> "Backend" ++ : access_token
+                "Backend" --> "Backend" : Validate token
+                "Backend" x-[#red]> "Client" -- : 401 Unauthorized
+
+            else User is blocked
+                "Client" -> "Backend" ++ : access_token
+                "Backend" --> "Backend" : Validate token
+                "Backend" --> "Backend" : Check user in internal backend database
+                "Backend" x-[#red]> "Client" -- : 401 Unauthorized
+
+            else User is deleted
+                "Client" -> "Backend" ++ : access_token
+                "Backend" --> "Backend" : Validate token
+                "Backend" --> "Backend" : Check user in internal backend database
+                "Backend" x-[#red]> "Client" -- : 404 Not found
+            end
+
+            deactivate "Client"
+        @enduml
+```
+<!--
+```mermaid
+sequenceDiagram
+participant "Client"
+participant "Backend"
+participant "LDAP"
+activate "Client"
+alt First time auth | Empty cache | Cache expired
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : No items found or item expired, using LDAP
+"Backend" ->> "Backend" : DN = bind_dn_template(login)
+"Backend" ->> "LDAP"  : Call bind(DN, password)
+"Backend" ->> "Backend" : Check user in internal backend database,\nusername = login
+"Backend" ->> "Backend" : Create user if not exist
+"Backend" ->> "Backend" : Save credentials to cache
+else
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : Found credentials, check for expiration
+"Backend" ->> "Backend" : Not expired, validate password is matching hash
+"Backend" ->> "Backend" : Password match, not calling LDAP
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" ->> "Backend" : Create user if not exist
+else
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : Found credentials, check for expiration
+"Backend" ->> "Backend" : Not expired, validate password is matching hash
+"Backend" ->> "Backend" : Password do not match local cache
+else
+"Client" ->> "Backend"  : login + password
+"Backend" ->> "Backend" : Search for credentials cache by login
+"Backend" ->> "Backend" : No items found or item expired, using LDAP
+"Backend" ->> "Backend" : DN = bind_dn_template(login)
+else
+Note right of "Client" : Other cases are same as for LDAPAuthProvider,\nlike lookup, blocked/deleted users
+end
+alt Successful case
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+"Backend" ->> "Backend" : Get data
+else
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+else
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+else
+"Client" ->> "Backend"  : access_token
+"Backend" ->> "Backend" : Validate token
+"Backend" ->> "Backend" : Check user in internal backend database
+end
+deactivate "Client"
+``` -->
+
+## Configuration { #cached_ldap-configuration }
+
+Other settings are just the same as for `LDAPAuthProvider`
+
+::: horizon.backend.settings.auth.cached_ldap.CachedLDAPAuthProviderSettings
+<!--    :inherited-members: BaseModel -->
+
+::: horizon.backend.settings.auth.cached_ldap.LDAPCacheSettings
+
+::: horizon.backend.settings.auth.cached_ldap.LDAPCachePasswordHashSettings
diff --git a/mddocs/en/backend/auth/custom.md b/mddocs/en/backend/auth/custom.md
@@ -0,0 +1,5 @@
+# Custom Auth provider { #backend-auth-custom }
+
+You can implement custom auth provider by inheriting from class below and implementing necessary methods.
+
+::: horizon.backend.providers.auth.AuthProvider