From 55b8042c2dc8c0b85f7ced2d92a457612afdc40b Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 25 Jul 2023 11:43:29 +0200 Subject: [PATCH 1/3] release 3.14.0 --- CHANGELOG.md | 8 +++++++- gateway/src/apicast/version.lua | 2 +- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b7d0157c..502c1bd1a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,19 +7,24 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] +## [3.14.0] 2023-07-25 + ### Fixed - In boot mode on `init_worker` check configuration expiration [PR #1399](https://github.com/3scale/APIcast/pull/1399) [THREESCALE-9003](https://issues.redhat.com/browse/THREESCALE-9003) - Removes the warning message at the bootstrap [PR #1398](https://github.com/3scale/APIcast/pull/1398) [THREESCALE-7942](https://issues.redhat.com/browse/THREESCALE-7942) - Set NGiNX variable variables_hash_max_size to 2048 to avoid startup warning [PR #1395](https://github.com/3scale/APIcast/pull/1395) [THREESCALE-7941](https://issues.redhat.com/browse/THREESCALE-7941) +- Dev environment on aarch64 host [PR #1381](https://github.com/3scale/APIcast/pull/1381) ### Added +- Doc: Policy Development Tutorial [PR #1384](https://github.com/3scale/APIcast/pull/1384) - Opentelemetry support. Opentracing is now deprecated [PR #1379](https://github.com/3scale/APIcast/pull/1379) [THREESCALE-7735](https://issues.redhat.com/browse/THREESCALE-7735) - `/admin/api/account/proxy_configs` endpoint for configuration loading [PR #1352](https://github.com/3scale/APIcast/pull/1352) [THREESCALE-8508](https://issues.redhat.com/browse/THREESCALE-8508) - Pagination of services and proxy config endpoints [PR #1397](https://github.com/3scale/APIcast/pull/1397) [THREESCALE-8373](https://issues.redhat.com/browse/THREESCALE-8373) - Upstream TLS v1.3 [PR #1400](https://github.com/3scale/APIcast/pull/1400) [THREESCALE-9193](https://issues.redhat.com/browse/THREESCALE-9193) - Updated policy list for v3.13.2 [PR #1404](https://github.com/3scale/APIcast/pull/1404) +- Updated policy list for v3.14.0 [PR #TBD](https://github.com/3scale/APIcast/pull/TBD) ### Removed @@ -952,7 +957,7 @@ Apart from the changes mentioned in this section, this version also includes the - Major rewrite using JSON configuration instead of code generation. -[Unreleased]: https://github.com/3scale/apicast/compare/v3.10.0...HEAD +[Unreleased]: https://github.com/3scale/apicast/compare/v3.14.0...HEAD [2.0.0]: https://github.com/3scale/apicast/compare/v0.2...v2.0.0 [3.0.0-alpha1]: https://github.com/3scale/apicast/compare/v2.0.0...v3.0.0-alpha1 [3.0.0-alpha2]: https://github.com/3scale/apicast/compare/v3.0.0-alpha1...v3.0.0-alpha2 @@ -1012,3 +1017,4 @@ Apart from the changes mentioned in this section, this version also includes the [3.12.2]: https://github.com/3scale/apicast/compare/v3.12.0..v3.12.2 [3.13.0]: https://github.com/3scale/apicast/compare/v3.12.2..v3.13.0 [3.13.2]: https://github.com/3scale/apicast/compare/v3.13.0..v3.13.2 +[3.14.0]: https://github.com/3scale/apicast/compare/v3.13.2..v3.14.0 diff --git a/gateway/src/apicast/version.lua b/gateway/src/apicast/version.lua index cc25bfe73..81bfe1715 100644 --- a/gateway/src/apicast/version.lua +++ b/gateway/src/apicast/version.lua @@ -1 +1 @@ -return "latest" +return "3.14.0" From 8359e95fbe7c67a2f74a2c314435dcfb9879186d Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 25 Jul 2023 11:44:27 +0200 Subject: [PATCH 2/3] changelog updated with PR --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 502c1bd1a..0822ee9c8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,7 +24,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Pagination of services and proxy config endpoints [PR #1397](https://github.com/3scale/APIcast/pull/1397) [THREESCALE-8373](https://issues.redhat.com/browse/THREESCALE-8373) - Upstream TLS v1.3 [PR #1400](https://github.com/3scale/APIcast/pull/1400) [THREESCALE-9193](https://issues.redhat.com/browse/THREESCALE-9193) - Updated policy list for v3.13.2 [PR #1404](https://github.com/3scale/APIcast/pull/1404) -- Updated policy list for v3.14.0 [PR #TBD](https://github.com/3scale/APIcast/pull/TBD) +- Updated policy list for v3.14.0 [PR #1407](https://github.com/3scale/APIcast/pull/1407) ### Removed From fbcb818a66f006ae8549d5d142f36dffb31c29ae Mon Sep 17 00:00:00 2001 From: Eguzki Astiz Lezaun Date: Tue, 25 Jul 2023 11:50:58 +0200 Subject: [PATCH 3/3] policy list: 3.14.0 --- doc/policies_list/3.14.0/policies.json | 2954 ++++++++++++++++++++++++ 1 file changed, 2954 insertions(+) create mode 100644 doc/policies_list/3.14.0/policies.json diff --git a/doc/policies_list/3.14.0/policies.json b/doc/policies_list/3.14.0/policies.json new file mode 100644 index 000000000..b903b39f2 --- /dev/null +++ b/doc/policies_list/3.14.0/policies.json @@ -0,0 +1,2954 @@ +{ + "policies": { + "oauth_mtls": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ] + } + ], + "websocket": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Websocket", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Allows websocket connection pass through.", + "version": "builtin", + "description": [ + "A policy which allows Websocket traffic for the service" + ] + } + ], + "http_proxy": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "Proxy Service", + "configuration": { + "type": "object", + "properties": { + "https_proxy": { + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported", + "type": "string" + }, + "all_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported.", + "type": "string" + }, + "http_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported", + "type": "string" + } + } + }, + "summary": "Adds an HTTP proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "content_caching": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "Content caching", + "configuration": { + "type": "object", + "definitions": { + "operation": { + "type": "object", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'left'", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "right_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'right'", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "$id": "#/definitions/operation" + }, + "rule": { + "type": "object", + "properties": { + "cache": { + "type": "boolean", + "default": false, + "title": "Enable cache if match" + }, + "condition": { + "type": "object", + "required": [ + "combine_op", + "operations" + ], + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + }, + "minItems": 1 + }, + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + } + }, + "title": "Condition" + }, + "header": { + "type": "string", + "default": "X-Cache-Status", + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)", + "title": "Header name " + } + }, + "$id": "#/definitions/rule", + "title": "Rule", + "required": [ + "cache" + ] + } + }, + "properties": { + "rules": { + "type": "array", + "title": "Rules", + "minItems": 1, + "items": { + "$ref": "#/definitions/rule" + }, + "description": "Rules to enable/disable caching" + } + } + }, + "summary": "Option to enable content caching on responses.", + "version": "builtin", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ] + } + ], + "caching": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale Auth Caching", + "configuration": { + "type": "object", + "properties": { + "caching_type": { + "type": "string", + "description": "Caching mode", + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ] + } + }, + "required": [ + "caching_type" + ] + }, + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "version": "builtin", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ] + } + ], + "rewrite_url_captures": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "URL Rewriting with Captures", + "configuration": { + "type": "object", + "definitions": { + "methods": { + "type": "array", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "items": { + "type": "string", + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ] + } + } + }, + "properties": { + "transformations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "template": { + "type": "string", + "description": "Template in which the matched args are replaced" + }, + "match_rule": { + "type": "string", + "description": "Rule to be matched" + }, + "methods": { + "$ref": "#/definitions/methods" + } + } + } + } + } + }, + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "version": "builtin", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ] + } + ], + "cors": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "CORS Request Handling", + "configuration": { + "type": "object", + "properties": { + "max_age": { + "description": "The ttl of the preflight response (default: 600)", + "type": "integer" + }, + "allow_headers": { + "type": "array", + "description": "Allowed headers", + "items": { + "type": "string" + } + }, + "allow_methods": { + "type": "array", + "description": "Allowed methods", + "items": { + "type": "string", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + } + }, + "allow_origin": { + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. 'https://example.com') or '*'. If left blank, the value of the 'Origin' request header will be used. In order to allow more than one origin it is possible to use a regular expression, if it matches with Origin header value, the value will be set to the Origin Value. In case it does not match, the header will not set at all. Example: '(api|web).test.com' wil match both 'api.test.com' and 'web.test.com'.", + "type": "string" + }, + "allow_credentials": { + "description": "Whether the request can be made using credentials", + "type": "boolean" + } + } + }, + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "version": "builtin", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "upstream_mtls": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Upstream Mutual TLS", + "configuration": { + "required": [ + "certificate_type", + "certificate_key_type" + ], + "dependencies": { + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key_type": { + "const": "embedded" + }, + "certificate_key": { + "title": "Certificate Key", + "type": "string", + "format": "data-url" + } + } + }, + { + "properties": { + "certificate_key_type": { + "const": "path" + }, + "certificate_key": { + "title": "Certificate Key", + "type": "string" + } + } + } + ] + }, + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate": { + "title": "Certificate", + "type": "string", + "format": "data-url" + }, + "certificate_type": { + "const": "embedded" + } + } + }, + { + "properties": { + "certificate": { + "title": "Certificate", + "type": "string" + }, + "certificate_type": { + "const": "path" + } + } + } + ] + } + }, + "properties": { + "certificate_key_type": { + "title": "Certificate key type", + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string" + }, + "verify": { + "type": "boolean", + "description": "Verify upstream connection" + }, + "ca_certificates": { + "type": "array", + "items": { + "type": "string", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate" + }, + "title": "CA certificates" + }, + "certificate_type": { + "title": "Certificate type", + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string" + } + }, + "title": "Upstream MTLS", + "description": "Built-in Upstream MTLS APIcast policy", + "type": "object" + }, + "summary": "Certificates to be used with the upstream API", + "version": "builtin", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config" + } + ], + "routing": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Routing", + "configuration": { + "type": "object", + "definitions": { + "operation": { + "type": "object", + "dependencies": { + "match": { + "oneOf": [ + { + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + }, + "required": [ + "header_name" + ] + }, + { + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + }, + "required": [ + "query_arg_name" + ] + }, + { + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + }, + "required": [ + "jwt_claim_name" + ] + }, + { + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + }, + "required": [ + "liquid_value" + ] + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "properties": { + "value": { + "type": "string" + }, + "match": { + "type": "string", + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ] + }, + "value_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'type'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "$id": "#/definitions/operation", + "required": [ + "match", + "op", + "value" + ] + } + }, + "properties": { + "rules": { + "type": "array", + "description": "List of rules to be applied", + "items": { + "type": "object", + "properties": { + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "type": "string", + "enum": [ + "and", + "or" + ], + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "default": "and" + } + } + }, + "host_header": { + "description": "Host for the Host header. When not specified, defaults to the host of the URL.", + "type": "string" + }, + "replace_path": { + "type": "string", + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path" + }, + "url": { + "type": "string" + }, + "owner_id": { + "type": "integer", + "description": "Value to only increment hits on the mapping rules owner by the same id. " + } + }, + "required": [ + "url" + ] + } + } + } + }, + "summary": "Allows to modify the upstream URL of the request.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "tls": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "TLS Termination", + "configuration": { + "type": "object", + "properties": { + "certificates": { + "title": "TLS certificates", + "items": { + "type": "object", + "anyOf": [ + { + "title": "Certificate from local filesystem", + "properties": { + "certificate_path": { + "type": "string", + "title": "Path to the certificate" + }, + "certificate_key_path": { + "type": "string", + "title": "Path to the certificate private key" + } + }, + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "title": "Embedded certificate", + "properties": { + "certificate_key": { + "type": "string", + "title": "PEM formatted certificate private key", + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "format": "data-url" + }, + "certificate": { + "type": "string", + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "format": "data-url" + } + }, + "required": [ + "certificate", + "certificate_key" + ] + } + ] + }, + "description": "The first valid certificate is going to be served to the client.", + "type": "array" + } + } + }, + "summary": "Configure TLS termination certificates", + "version": "builtin", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ] + } + ], + "maintenance_mode": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Maintenance Mode", + "configuration": { + "type": "object", + "definitions": { + "operation": { + "type": "object", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'left'", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "right_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'right'", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "$id": "#/definitions/operation" + } + }, + "properties": { + "condition": { + "type": "object", + "required": [ + "combine_op", + "operations" + ], + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + }, + "minItems": 1 + }, + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + } + }, + "title": "Condition" + }, + "status": { + "type": "integer", + "description": "HTTP status code to return", + "default": 503 + }, + "message": { + "type": "string", + "description": "HTTP response to return", + "default": "Service Unavailable - Maintenance" + }, + "message_content_type": { + "type": "string", + "description": "Content-Type header for the response", + "default": "text/plain; charset=utf-8" + } + } + }, + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "version": "builtin", + "description": [ + "A policy which allows you to reject incoming requests with a specified status code and message. ", + "It's useful for maintenance periods or to temporarily block an API. \n", + "It allows to select a list of Upstream URLs for which to enable the maintenance mode." + ] + } + ], + "jwt_claim_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "JWT Claim Check", + "configuration": { + "type": "object", + "definitions": { + "value_type": { + "type": "string", + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type" + } + }, + "properties": { + "rules": { + "type": "array", + "items": { + "required": [ + "resource" + ], + "properties": { + "resource": { + "type": "string", + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end." + }, + "resource_type": { + "description": "How to evaluate 'resource' field", + "$ref": "#/definitions/value_type" + }, + "operations": { + "type": "array", + "description": "Operations to perform the condition", + "items": { + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "properties": { + "value": { + "description": "Value to compare the retrieved JWT claim", + "type": "string" + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0." + }, + "value_type": { + "description": "How to evaluate 'value' field", + "$ref": "#/definitions/value_type" + }, + "jwt_claim": { + "description": "String to get JWT claim", + "type": "string" + }, + "jwt_claim_type": { + "description": "How to evaluate 'jwt_claim' value", + "$ref": "#/definitions/value_type" + } + }, + "type": "object" + } + }, + "combine_op": { + "type": "string", + "enum": [ + "and", + "or" + ], + "default": "and" + }, + "methods": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "description": "Allowed methods", + "default": [ + "ANY" + ] + } + } + } + }, + "error_message": { + "title": "Error message", + "description": "Error message to show to user when traffic is blocked", + "type": "string" + } + } + }, + "summary": "Allow or deny traffic based on a JWT claim", + "version": "builtin", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ] + } + ], + "3scale_batcher": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale Batcher", + "configuration": { + "type": "object", + "properties": { + "batch_report_seconds": { + "description": "Duration (in seconds) for batching reports", + "type": "integer" + }, + "auths_ttl": { + "description": "TTL for cached auths in seconds", + "type": "integer" + } + } + }, + "summary": "Caches auths from 3scale backend and batches reports.", + "version": "builtin", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ] + } + ], + "nginx_filters": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Nginx Filter", + "configuration": { + "type": "object", + "properties": { + "headers": { + "type": "array", + "minItems": 1, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "title": "Header Name" + }, + "append": { + "type": "boolean", + "default": false, + "title": "Append header to upstream" + } + }, + "required": [ + "name", + "append" + ] + }, + "title": "Headers to filter" + } + }, + "required": [ + "headers" + ] + }, + "summary": "Skip nginx filters on certain headers", + "version": "builtin", + "description": [ + "Nginx, by default, checks/validates some request headers. This policy allows the user to skips these checks and sends them to the upstream servers. " + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "conditional": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Conditional Policy [Tech preview]", + "configuration": { + "type": "object", + "definitions": { + "operation": { + "type": "object", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'left'", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=" + ] + }, + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "right_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'right'", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "$id": "#/definitions/operation" + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + }, + "minItems": 1 + }, + "combine_op": { + "type": "string", + "enum": [ + "and", + "or" + ], + "default": "and" + } + }, + "description": "Condition to be evaluated", + "$id": "#/definitions/condition" + } + }, + "properties": { + "policy_chain": { + "type": "array", + "description": "The policy chain to execute when the condition is true", + "items": { + "type": "object" + } + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "required": [ + "condition" + ] + }, + "summary": "Executes a policy chain conditionally.", + "version": "builtin", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ] + } + ], + "rate_limit": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Edge Limiting", + "configuration": { + "type": "object", + "definitions": { + "key": { + "type": "object", + "properties": { + "scope": { + "type": "string", + "default": "service", + "description": "Scope of the key", + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ] + }, + "name_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'name'", + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "name": { + "type": "string", + "description": "The name of the key, must be unique in the scope" + } + }, + "description": "The key corresponding to the limiter object", + "$id": "#/definitions/key" + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + }, + "minItems": 0 + }, + "combine_op": { + "type": "string", + "enum": [ + "and", + "or" + ], + "default": "and" + } + }, + "description": "Condition to be evaluated", + "$id": "#/definitions/condition" + }, + "operation": { + "type": "object", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'left'", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "right_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'right'", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "$id": "#/definitions/operation" + }, + "error_handling": { + "type": "string", + "default": "exit", + "$id": "#/definitions/error_handling", + "description": "How to handle an error", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ] + } + }, + "properties": { + "fixed_window_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "count": { + "type": "integer", + "description": "The specified number of requests threshold", + "exclusiveMinimum": 0 + }, + "window": { + "type": "integer", + "minimum": 0, + "description": "The time window in seconds before the request count is reset", + "default": 1 + } + }, + "required": [ + "key", + "count", + "window" + ] + } + }, + "configuration_error": { + "type": "object", + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "type": "integer", + "description": "The status code when there is some configuration issue", + "default": 500 + } + } + }, + "leaky_bucket_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "burst": { + "type": "integer", + "minimum": 0, + "description": "The number of excessive requests per second allowed to be delayed" + }, + "rate": { + "type": "integer", + "description": "The specified request rate (number per second) threshold", + "exclusiveMinimum": 0 + } + } + } + }, + "connection_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "burst": { + "type": "integer", + "minimum": 0, + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "delay": { + "type": "number", + "description": "The default processing latency of a typical connection (or request)", + "exclusiveMinimum": 0 + }, + "key": { + "$ref": "#/definitions/key" + }, + "conn": { + "type": "integer", + "description": "The maximum number of concurrent requests allowed", + "exclusiveMinimum": 0 + } + } + } + }, + "limits_exceeded_error": { + "type": "object", + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "type": "integer", + "description": "The status code when requests over the limit", + "default": 429 + } + } + }, + "redis_url": { + "description": "URL of Redis", + "type": "string" + } + } + }, + "summary": "Adds rate limit.", + "version": "builtin", + "description": [ + "This policy adds rate limit." + ] + } + ], + "on_failed": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "On fail", + "configuration": { + "type": "object", + "properties": { + "error_status_code": { + "type": "integer", + "minimum": 100, + "description": "Status code that will send to the user if any policy fails", + "exclusiveMaximum": 700 + } + } + }, + "summary": "Block request if any policy fails", + "version": "builtin", + "description": "When a policy fails, this policy allows to set an error message back to the user and stop processing the request to the upstream API.", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "upstream_connection": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Upstream Connection", + "configuration": { + "type": "object", + "properties": { + "send_timeout": { + "type": "number", + "description": "Timeout between two successive write operations (in seconds).", + "exclusiveMinimum": 0 + }, + "read_timeout": { + "type": "number", + "description": "Timeout between two successive read operations (in seconds).", + "exclusiveMinimum": 0 + }, + "connect_timeout": { + "description": "Timeout for establishing a connection (in seconds).", + "type": "integer" + } + } + }, + "summary": "Allows to configure several options for the connections to the upstream", + "version": "builtin", + "description": "Allows to configure several options for the connections to the upstream" + } + ], + "camel": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "Camel Service", + "configuration": { + "type": "object", + "properties": { + "https_proxy": { + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported", + "type": "string" + }, + "all_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported.", + "type": "string" + }, + "http_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported", + "type": "string" + } + } + }, + "summary": "Adds an Camel proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "rate_limit_headers": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Rate Limits Headers", + "configuration": {}, + "summary": "Set rate limit headers on response", + "version": "builtin", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ] + } + ], + "custom_metrics": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Custom Metrics", + "configuration": { + "properties": { + "rules": { + "type": "array", + "items": { + "$ref": "#/definitions/custom_metrics_rule" + }, + "minItems": 1 + } + }, + "definitions": { + "operation": { + "type": "object", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'left'", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "right_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'right'", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "$id": "#/definitions/operation" + }, + "custom_metrics_rule": { + "type": "object", + "properties": { + "increment": { + "type": "string", + "default": "1", + "description": "How many hits should be incremented, liquid value ", + "title": "Increment " + }, + "condition": { + "type": "object", + "required": [ + "combine_op", + "operations" + ], + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + }, + "minItems": 1 + }, + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + } + }, + "title": "Condition" + }, + "metric": { + "type": "string", + "default": "", + "description": "Metric name to increment in case of condition match (liquid input)", + "title": "Metric to increment " + } + }, + "required": [ + "metric", + "condition", + "increment" + ] + } + } + }, + "summary": "Custom metrics on Nginx post actions ", + "version": "builtin", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "payload_limits": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Response/Request content limits", + "configuration": { + "type": "object", + "properties": { + "request": { + "type": "integer", + "default": 0, + "title": "The request limit in bytes", + "minimum": 0, + "description": "Request limit in bytes, 0 allows all", + "examples": [ + 0 + ] + }, + "response": { + "type": "integer", + "default": 0, + "title": "The response limit in bytes", + "minimum": 0, + "description": "Response limit in bytes, 0 allows all", + "examples": [ + 0 + ] + } + }, + "required": [ + "request", + "response" + ] + }, + "summary": "Limit request or response base on the size of the content", + "version": "builtin", + "description": [ + "This policy add limits based on request or response content size." + ] + } + ], + "soap": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "SOAP", + "configuration": { + "type": "object", + "properties": { + "mapping_rules": { + "type": "array", + "description": "Mapping rules.", + "items": { + "type": "object", + "properties": { + "delta": { + "description": "Value.", + "type": "integer" + }, + "metric_system_name": { + "description": "Metric.", + "type": "string" + }, + "pattern": { + "description": "Pattern to match against the request.", + "type": "string" + } + }, + "required": [ + "pattern", + "metric_system_name", + "delta" + ] + } + } + } + }, + "summary": "Adds support for a small subset of SOAP.", + "version": "builtin", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ] + } + ], + "statuscode_overwrite": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "HTTP Status Code Overwrite", + "configuration": { + "type": "object", + "definitions": { + "codes": { + "type": "array", + "description": "List of codes to overwrite", + "items": { + "type": "object", + "properties": { + "upstream": { + "type": "integer", + "maximum": 600, + "title": "Upstream", + "minimum": 100, + "description": "Upstream HTTP code to replace" + }, + "apicast": { + "type": "integer", + "maximum": 600, + "title": "Return HTTP code", + "minimum": 100, + "description": "HTTP code to return" + } + }, + "required": [ + "upstream", + "apicast" + ] + } + } + }, + "properties": { + "http_statuses": { + "title": "HTTP status codes map", + "$ref": "#/definitions/codes" + } + } + }, + "summary": "Modify the HTTP status code returned by the upstream", + "version": "builtin", + "description": [ + "Configures a 1-1 mapping for upstream's http codes." + ] + } + ], + "tls_validation": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "TLS Client Certificate Validation", + "configuration": { + "type": "object", + "definitions": { + "store": { + "type": "array", + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store" + }, + "certificate": { + "type": "object", + "properties": { + "pem_certificate": { + "type": "string", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate" + } + }, + "$id": "#/definitions/certificate" + } + }, + "properties": { + "whitelist": { + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted.", + "$ref": "#/definitions/store" + } + } + }, + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "version": "builtin", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ] + } + ], + "apicast": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale APIcast", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "version": "builtin", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ] + } + ], + "url_rewriting": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "URL Rewriting", + "configuration": { + "type": "object", + "definitions": { + "methods": { + "type": "array", + "items": { + "type": "string", + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ] + }, + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "$id": "#/definitions/methods" + } + }, + "properties": { + "query_args_commands": { + "type": "array", + "description": "List of commands to apply to the query string args", + "items": { + "type": "object", + "properties": { + "arg": { + "description": "Query argument", + "type": "string" + }, + "value": { + "description": "Value", + "type": "string" + }, + "op": { + "type": "string", + "description": "Operation to apply to the query argument", + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ] + }, + "value_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "methods": { + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "$ref": "#/definitions/methods" + } + }, + "required": [ + "op", + "arg" + ] + } + }, + "commands": { + "type": "array", + "description": "List of rewriting commands to be applied", + "items": { + "type": "object", + "properties": { + "options": { + "description": "Options that define how the regex matching is performed", + "type": "string" + }, + "regex": { + "description": "Regular expression to be matched", + "type": "string" + }, + "op": { + "type": "string", + "description": "Operation to be applied (sub or gsub)", + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ] + }, + "replace": { + "description": "String that will replace what is matched by the regex", + "type": "string" + }, + "break": { + "description": "when set to true, if the command rewrote the URL, it will be the last one applied", + "type": "boolean" + }, + "methods": { + "$ref": "#/definitions/methods" + } + }, + "required": [ + "op", + "regex", + "replace" + ] + } + } + } + }, + "summary": "Allows to modify the path of a request.", + "version": "builtin", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ] + } + ], + "echo": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Echo", + "configuration": { + "type": "object", + "properties": { + "exit": { + "type": "string", + "description": "Exit mode", + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ] + }, + "status": { + "description": "HTTP status code to be returned", + "type": "integer" + } + } + }, + "summary": "Prints the request back to the client and optionally sets a status code.", + "version": "builtin", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ] + } + ], + "logging": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Logging", + "configuration": { + "type": "object", + "definitions": { + "value_type": { + "type": "string", + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "properties": { + "enable_access_logs": { + "description": "Whether to enable access logs for the service", + "type": "boolean" + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "value": { + "description": "Value to compare the retrieved match", + "type": "string" + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare match field with the provided value" + }, + "match_type": { + "description": "How to evaluate 'match' value", + "$ref": "#/definitions/value_type" + }, + "match": { + "description": "String to get request information to match", + "type": "string" + }, + "value_type": { + "description": "How to evaluate 'value' field", + "$ref": "#/definitions/value_type" + } + }, + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ] + } + }, + "combine_op": { + "type": "string", + "enum": [ + "and", + "or" + ], + "default": "and" + } + } + }, + "custom_logging": { + "title": "Custom logging format", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries", + "type": "string" + }, + "enable_json_logs": { + "description": "To enable logs in json format. Custom logging format will be disabled", + "type": "boolean" + }, + "json_object_config": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "Key for the the json object", + "type": "string" + }, + "value": { + "description": "String to get request information", + "type": "string" + }, + "value_type": { + "description": "How to evaluate 'value' field", + "$ref": "#/definitions/value_type" + } + } + } + } + } + }, + "summary": "Controls logging.", + "version": "builtin", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ] + } + ], + "keycloak_role_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "RH-SSO/Keycloak Role Check", + "configuration": { + "type": "object", + "definitions": { + "value_type": { + "type": "string", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type" + } + }, + "properties": { + "type": { + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ], + "description": "Type of the role check", + "default": "whitelist" + }, + "scopes": { + "type": "array", + "items": { + "type": "object", + "properties": { + "resource": { + "type": "string", + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end." + }, + "realm_roles": { + "type": "array", + "description": "Realm roles", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "Name of the role" + }, + "name_type": { + "description": "How to evaluate 'name'", + "$ref": "#/definitions/value_type" + } + } + } + }, + "resource_type": { + "description": "How to evaluate 'resource'", + "$ref": "#/definitions/value_type" + }, + "methods": { + "type": "array", + "items": { + "type": "string", + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "description": "Allowed methods", + "default": [ + "ANY" + ] + }, + "client_roles": { + "type": "array", + "description": "Client roles", + "items": { + "type": "object", + "properties": { + "client": { + "type": "string", + "description": "Client of the role." + }, + "name_type": { + "description": "How to evaluate 'name'", + "$ref": "#/definitions/value_type" + }, + "name": { + "type": "string", + "description": "Name of the role" + }, + "client_type": { + "description": "How to evaluate 'client'", + "$ref": "#/definitions/value_type" + } + } + } + } + } + } + } + } + }, + "summary": "Adds role check with Keycloak.", + "version": "builtin", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ] + } + ], + "headers": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Header Modification", + "configuration": { + "type": "object", + "definitions": { + "commands": { + "type": "array", + "description": "List of operations to apply to the headers", + "items": { + "type": "object", + "properties": { + "op": { + "type": "string", + "description": "Operation to be applied", + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ] + }, + "value": { + "description": "Value that will be added, set or pushed in the header. Not needed when deleting.", + "type": "string" + }, + "value_type": { + "type": "string", + "default": "plain", + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ] + }, + "header": { + "description": "Header to be modified", + "type": "string" + } + }, + "required": [ + "op", + "header" + ] + } + } + }, + "properties": { + "request": { + "$ref": "#/definitions/commands" + }, + "response": { + "$ref": "#/definitions/commands" + } + } + }, + "summary": "Allows to include custom headers.", + "version": "builtin", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ] + } + ], + "ip_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "IP Check", + "configuration": { + "type": "object", + "properties": { + "client_ip_sources": { + "type": "array", + "default": [ + "last_caller" + ], + "maxItems": 3, + "items": { + "type": "string", + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Get the IP from the proxy_protocol_addr variable", + "enum": [ + "proxy_protocol_addr" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ] + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "minItems": 1 + }, + "ips": { + "type": "array", + "description": "List of IPs", + "items": { + "type": "string" + } + }, + "check_type": { + "type": "string", + "description": "The type of check to apply", + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ] + }, + "error_msg": { + "type": "string", + "description": "", + "default": "IP address not allowed" + } + }, + "required": [ + "ips", + "check_type" + ] + }, + "summary": "Accepts or denies a request based on the IP.", + "version": "builtin", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ] + } + ], + "default_credentials": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Anonymous Access", + "configuration": { + "type": "object", + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "user_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "user_key" + ] + } + }, + "required": [ + "user_key" + ] + }, + { + "properties": { + "app_id": { + "type": "string" + }, + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + } + }, + "required": [ + "app_id", + "app_key" + ] + } + ] + } + }, + "properties": { + "auth_type": { + "type": "string", + "enum": [ + "user_key", + "app_id_and_app_key" + ], + "default": "user_key" + } + }, + "required": [ + "auth_type" + ] + }, + "summary": "Provides default credentials for unauthenticated requests.", + "version": "builtin", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "3scale_referrer": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale Referrer", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "version": "builtin", + "description": "Sends the 'Referer' to 3scale backend for validation." + } + ], + "grpc": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "HTTP2 Endpoint", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "version": "builtin", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ] + } + ], + "upstream": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Upstream", + "configuration": { + "type": "object", + "properties": { + "rules": { + "type": "array", + "description": "List of rules to be applied", + "items": { + "type": "object", + "properties": { + "regex": { + "description": "Regular expression to be matched", + "type": "string" + }, + "url": { + "description": "New URL in case of match", + "type": "string" + } + }, + "required": [ + "regex", + "url" + ] + } + } + } + }, + "summary": "Allows to modify the upstream URL of the request based on its path.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + } + } + ], + "token_introspection": [ + { + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "name": "OAuth 2.0 Token Introspection", + "configuration": { + "type": "object", + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "properties": { + "client_secret": { + "description": "Client Secret for the Token Introspection Endpoint", + "type": "string" + }, + "introspection_url": { + "description": "Introspection Endpoint URL", + "type": "string" + }, + "client_id": { + "description": "Client ID for the Token Introspection Endpoint", + "type": "string" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + } + }, + "required": [ + "client_id", + "client_secret", + "introspection_url" + ] + } + ] + } + }, + "properties": { + "max_cached_tokens": { + "type": "integer", + "minimum": 0, + "description": "Max number of tokens to cache", + "maximum": 10000 + }, + "max_ttl_tokens": { + "type": "integer", + "minimum": 1, + "description": "Max TTL for cached tokens", + "maximum": 3600 + }, + "auth_type": { + "type": "string", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ], + "default": "client_id+client_secret" + } + }, + "required": [ + "auth_type" + ] + }, + "summary": "Configures OAuth 2.0 Token Introspection.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ] + } + ], + "retry": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Retry", + "configuration": { + "type": "object", + "properties": { + "retries": { + "type": "integer", + "minimum": 1, + "description": "Number of retries", + "maximum": 10 + } + } + }, + "summary": "Allows to retry requests to the upstream", + "version": "builtin", + "description": "Allows to retry requests to the upstream" + } + ], + "liquid_context_debug": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Liquid Context Debug", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Inspects the available liquid context.", + "version": "builtin", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + }, + { + "name": "upstream", + "version": "builtin" + }, + { + "name": "routing", + "version": "builtin" + } + ] + } + } + ] + } +}