diff --git a/CHANGELOG.md b/CHANGELOG.md index 3adac38fc..1236f9e25 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/). ## [Unreleased] +## [3.15.0] 2024-04-04 + ### Fixed - Fix GRPC on HTTP2 POST method [PR #1419](https://github.com/3scale/apicast/pull/1419) [THREESCALE-9976](https://issues.redhat.com/browse/THREESCALE-9976) @@ -40,8 +42,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/). - Replace luafilesystem-ffi with [luafilesystem](https://github.com/lunarmodules/luafilesystem) [PR #1445](https://github.com/3scale/APIcast/pull/1445) [THREESCALE-10662](https://issues.redhat.com/browse/THREESCALE-10662) - Fix "Upstream cannot be null" error in APIcast logs [PR #1449](https://github.com/3scale/APIcast/pull/1449) [THREESCALE-5225](https://issues.redhat.com/browse/THREESCALE-5225) + - Fixed 3scale Batcher policy unable to handle base64 encoded `user_key` [PR #1453](https://github.com/3scale/APIcast/pull/1453) [THREESCALE-10934](https://issues.redhat.com/browse/THREESCALE-10934) +- Update luacheck settings and fix issues reported [PR #1451](https://github.com/3scale/APIcast/pull/1451) + +- Disable \_G write guard warning [PR #1454](https://github.com/3scale/APIcast/pull/1454) + ### Added - Detect number of CPU shares when running on Cgroups V2 [PR #1410](https://github.com/3scale/apicast/pull/1410) [THREESCALE-10167](https://issues.redhat.com/browse/THREESCALE-10167) @@ -1010,7 +1017,7 @@ Apart from the changes mentioned in this section, this version also includes the - Major rewrite using JSON configuration instead of code generation. -[Unreleased]: https://github.com/3scale/apicast/compare/v3.14.0...HEAD +[Unreleased]: https://github.com/3scale/apicast/compare/v3.15.0...HEAD [2.0.0]: https://github.com/3scale/apicast/compare/v0.2...v2.0.0 [3.0.0-alpha1]: https://github.com/3scale/apicast/compare/v2.0.0...v3.0.0-alpha1 [3.0.0-alpha2]: https://github.com/3scale/apicast/compare/v3.0.0-alpha1...v3.0.0-alpha2 @@ -1071,3 +1078,4 @@ Apart from the changes mentioned in this section, this version also includes the [3.13.0]: https://github.com/3scale/apicast/compare/v3.12.2..v3.13.0 [3.13.2]: https://github.com/3scale/apicast/compare/v3.13.0..v3.13.2 [3.14.0]: https://github.com/3scale/apicast/compare/v3.13.2..v3.14.0 +[3.15.0]: https://github.com/3scale/apicast/compare/v3.14.0..v3.15.0 diff --git a/doc/policies_list/3.15.0/policies.json b/doc/policies_list/3.15.0/policies.json new file mode 100644 index 000000000..114b39223 --- /dev/null +++ b/doc/policies_list/3.15.0/policies.json @@ -0,0 +1,2969 @@ +{ + "policies": { + "logging": [ + { + "name": "Logging", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "json_object_config": { + "type": "array", + "items": { + "type": "object", + "properties": { + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value": { + "type": "string", + "description": "String to get request information" + } + } + } + }, + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "custom_logging": { + "title": "Custom logging format", + "type": "string", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries" + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "type": "object", + "properties": { + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "match": { + "type": "string", + "description": "String to get request information to match" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string", + "description": "Match operation to compare match field with the provided value" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + } + } + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "type": "string", + "default": "and" + } + } + }, + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + } + }, + "definitions": { + "value_type": { + "type": "string", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate as liquid." + } + ] + } + }, + "type": "object" + }, + "summary": "Controls logging.", + "version": "builtin", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ] + } + ], + "rate_limit_headers": [ + { + "name": "Rate Limits Headers", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": {}, + "summary": "Set rate limit headers on response", + "version": "builtin", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ] + } + ], + "keycloak_role_check": [ + { + "name": "RH-SSO/Keycloak Role Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "type": { + "enum": [ + "whitelist", + "blacklist" + ], + "default": "whitelist", + "type": "string", + "description": "Type of the role check" + }, + "scopes": { + "type": "array", + "items": { + "type": "object", + "properties": { + "client_roles": { + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "Name of the role" + }, + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "client": { + "type": "string", + "description": "Client of the role." + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + } + } + }, + "type": "array", + "description": "Client roles" + }, + "methods": { + "default": [ + "ANY" + ], + "items": { + "type": "string", + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "type": "array", + "description": "Allowed methods" + }, + "realm_roles": { + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "Name of the role" + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + } + } + }, + "type": "array", + "description": "Realm roles" + }, + "resource": { + "type": "string", + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end." + }, + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + } + } + } + } + }, + "type": "object", + "definitions": { + "value_type": { + "$id": "#/definitions/value_type", + "type": "string", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'value' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'value' as liquid." + } + ] + } + } + }, + "summary": "Adds role check with Keycloak.", + "version": "builtin", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ] + } + ], + "ip_check": [ + { + "name": "IP Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "ips", + "check_type" + ], + "type": "object", + "properties": { + "client_ip_sources": { + "default": [ + "last_caller" + ], + "maxItems": 3, + "items": { + "type": "string", + "anyOf": [ + { + "enum": [ + "X-Forwarded-For" + ], + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)" + }, + { + "enum": [ + "X-Real-IP" + ], + "title": "Get the IP from the X-Real-IP header" + }, + { + "enum": [ + "proxy_protocol_addr" + ], + "title": "Get the IP from the proxy_protocol_addr variable" + }, + { + "enum": [ + "last_caller" + ], + "title": "Use the IP of the last caller" + } + ] + }, + "minItems": 1, + "type": "array", + "description": "Specifies how to get the client IP and in which order the options are tried" + }, + "error_msg": { + "default": "IP address not allowed", + "type": "string", + "description": "" + }, + "check_type": { + "oneOf": [ + { + "enum": [ + "blacklist" + ], + "title": "Block the IPs included in the list" + }, + { + "enum": [ + "whitelist" + ], + "title": "Allow only the IPs included in the list" + } + ], + "type": "string", + "description": "The type of check to apply" + }, + "ips": { + "items": { + "type": "string" + }, + "type": "array", + "description": "List of IPs" + } + } + }, + "summary": "Accepts or denies a request based on the IP.", + "version": "builtin", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ] + } + ], + "content_caching": [ + { + "name": "Content caching", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "minItems": 1, + "title": "Rules", + "type": "array", + "items": { + "$ref": "#/definitions/rule" + }, + "description": "Rules to enable/disable caching" + } + }, + "type": "object", + "definitions": { + "rule": { + "properties": { + "cache": { + "default": false, + "type": "boolean", + "title": "Enable cache if match" + }, + "header": { + "default": "X-Cache-Status", + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)", + "type": "string", + "title": "Header name " + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string", + "title": "Combine operation" + } + }, + "required": [ + "combine_op", + "operations" + ], + "type": "object", + "title": "Condition" + } + }, + "$id": "#/definitions/rule", + "type": "object", + "required": [ + "cache" + ], + "title": "Rule" + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "type": "object", + "properties": { + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'left' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'left' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'left'" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'right' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'right' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'right'" + } + } + } + } + }, + "summary": "Option to enable content caching on responses.", + "version": "builtin", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ] + } + ], + "3scale_referrer": [ + { + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "version": "builtin", + "description": "Sends the 'Referer' to 3scale backend for validation." + } + ], + "rewrite_url_captures": [ + { + "name": "URL Rewriting with Captures", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "transformations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "template": { + "type": "string", + "description": "Template in which the matched args are replaced" + }, + "match_rule": { + "type": "string", + "description": "Rule to be matched" + }, + "methods": { + "$ref": "#/definitions/methods" + } + } + } + } + }, + "definitions": { + "methods": { + "items": { + "type": "string", + "oneOf": [ + { + "enum": [ + "GET" + ], + "title": "GET" + }, + { + "enum": [ + "POST" + ], + "title": "POST" + }, + { + "enum": [ + "PUT" + ], + "title": "PUT" + }, + { + "enum": [ + "PATCH" + ], + "title": "PATCH" + }, + { + "enum": [ + "DELETE" + ], + "title": "DELETE" + }, + { + "enum": [ + "HEAD" + ], + "title": "HEAD" + }, + { + "enum": [ + "OPTIONS" + ], + "title": "OPTIONS" + } + ] + }, + "type": "array", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + } + }, + "type": "object" + }, + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "version": "builtin", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ] + } + ], + "request_unbuffered": [ + { + "name": "Request Unbuffered", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Disable request buffering", + "version": "builtin", + "description": [ + "Disable request buffering. This is useful when proxying big payloads with HTTP/1.1 chunked encoding" + ] + } + ], + "oauth_mtls": [ + { + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ] + } + ], + "tls": [ + { + "name": "TLS Termination", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "certificates": { + "items": { + "type": "object", + "anyOf": [ + { + "required": [ + "certificate_path", + "certificate_key_path" + ], + "properties": { + "certificate_path": { + "type": "string", + "title": "Path to the certificate" + }, + "certificate_key_path": { + "type": "string", + "title": "Path to the certificate private key" + } + }, + "title": "Certificate from local filesystem" + }, + { + "required": [ + "certificate", + "certificate_key" + ], + "properties": { + "certificate_key": { + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "format": "data-url", + "type": "string", + "title": "PEM formatted certificate private key" + }, + "certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "format": "data-url", + "type": "string", + "title": "PEM formatted certificate" + } + }, + "title": "Embedded certificate" + } + ] + }, + "title": "TLS certificates", + "type": "array", + "description": "The first valid certificate is going to be served to the client." + } + } + }, + "summary": "Configure TLS termination certificates", + "version": "builtin", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ] + } + ], + "jwt_claim_check": [ + { + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "type": "array", + "items": { + "required": [ + "resource" + ], + "properties": { + "operations": { + "items": { + "properties": { + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string", + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0." + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "type": "array", + "description": "Operations to perform the condition" + }, + "methods": { + "default": [ + "ANY" + ], + "items": { + "type": "string", + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "type": "array", + "description": "Allowed methods" + }, + "resource": { + "type": "string", + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end." + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "type": "string", + "default": "and" + }, + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + } + } + } + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "definitions": { + "value_type": { + "$id": "#/definitions/value_type", + "type": "string", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate as liquid." + } + ] + } + }, + "type": "object" + }, + "summary": "Allow or deny traffic based on a JWT claim", + "version": "builtin", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ] + } + ], + "liquid_context_debug": [ + { + "name": "Liquid Context Debug", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + }, + { + "name": "upstream", + "version": "builtin" + }, + { + "name": "routing", + "version": "builtin" + } + ] + }, + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Inspects the available liquid context.", + "version": "builtin", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ] + } + ], + "upstream": [ + { + "name": "Upstream", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "type": "object", + "properties": { + "rules": { + "items": { + "required": [ + "regex", + "url" + ], + "type": "object", + "properties": { + "url": { + "type": "string", + "description": "New URL in case of match" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + } + } + }, + "type": "array", + "description": "List of rules to be applied" + } + } + }, + "summary": "Allows to modify the upstream URL of the request based on its path.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ] + } + ], + "caching": [ + { + "name": "3scale Auth Caching", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "caching_type": { + "oneOf": [ + { + "enum": [ + "strict" + ], + "title": "Strict: cache only authorized calls." + }, + { + "enum": [ + "resilient" + ], + "title": "Resilient: authorize according to last request when backend is down." + }, + { + "enum": [ + "allow" + ], + "title": "Allow: when backend is down, allow everything unless seen before and denied." + }, + { + "enum": [ + "none" + ], + "title": "None: disable caching." + } + ], + "type": "string", + "description": "Caching mode" + } + }, + "type": "object", + "required": [ + "caching_type" + ] + }, + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "version": "builtin", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ] + } + ], + "payload_limits": [ + { + "name": "Response/Request content limits", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "request": { + "default": 0, + "minimum": 0, + "title": "The request limit in bytes", + "examples": [ + 0 + ], + "type": "integer", + "description": "Request limit in bytes, 0 allows all" + }, + "response": { + "default": 0, + "minimum": 0, + "title": "The response limit in bytes", + "examples": [ + 0 + ], + "type": "integer", + "description": "Response limit in bytes, 0 allows all" + } + }, + "type": "object", + "required": [ + "request", + "response" + ] + }, + "summary": "Limit request or response base on the size of the content", + "version": "builtin", + "description": [ + "This policy add limits based on request or response content size." + ] + } + ], + "retry": [ + { + "name": "Retry", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "retries": { + "maximum": 10, + "minimum": 1, + "type": "integer", + "description": "Number of retries" + } + } + }, + "summary": "Allows to retry requests to the upstream", + "version": "builtin", + "description": "Allows to retry requests to the upstream" + } + ], + "statuscode_overwrite": [ + { + "name": "HTTP Status Code Overwrite", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "http_statuses": { + "$ref": "#/definitions/codes", + "title": "HTTP status codes map" + } + }, + "type": "object", + "definitions": { + "codes": { + "items": { + "properties": { + "upstream": { + "minimum": 100, + "maximum": 600, + "title": "Upstream", + "type": "integer", + "description": "Upstream HTTP code to replace" + }, + "apicast": { + "minimum": 100, + "maximum": 600, + "description": "HTTP code to return", + "type": "integer", + "title": "Return HTTP code" + } + }, + "type": "object", + "required": [ + "upstream", + "apicast" + ] + }, + "type": "array", + "description": "List of codes to overwrite" + } + } + }, + "summary": "Modify the HTTP status code returned by the upstream", + "version": "builtin", + "description": [ + "Configures a 1-1 mapping for upstream's http codes." + ] + } + ], + "apicast": [ + { + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "version": "builtin", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ] + } + ], + "on_failed": [ + { + "name": "On fail", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "type": "object", + "properties": { + "error_status_code": { + "exclusiveMaximum": 700, + "minimum": 100, + "type": "integer", + "description": "Status code that will send to the user if any policy fails" + } + } + }, + "summary": "Block request if any policy fails", + "version": "builtin", + "description": "When a policy fails, this policy allows to set an error message back to the user and stop processing the request to the upstream API." + } + ], + "routing": [ + { + "name": "Routing", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "properties": { + "rules": { + "items": { + "required": [ + "url" + ], + "type": "object", + "properties": { + "owner_id": { + "type": "integer", + "description": "Value to only increment hits on the mapping rules owner by the same id. " + }, + "url": { + "type": "string" + }, + "replace_path": { + "type": "string", + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string", + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true." + } + } + } + } + }, + "type": "array", + "description": "List of rules to be applied" + } + }, + "type": "object", + "definitions": { + "operation": { + "properties": { + "value": { + "type": "string" + }, + "value_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'value' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'value' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'type'" + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ] + }, + "match": { + "type": "string", + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ] + } + }, + "$id": "#/definitions/operation", + "dependencies": { + "match": { + "oneOf": [ + { + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + }, + "required": [ + "header_name" + ] + }, + { + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + }, + "required": [ + "query_arg_name" + ] + }, + { + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + }, + "required": [ + "jwt_claim_name" + ] + }, + { + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + }, + "required": [ + "liquid_value" + ] + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "required": [ + "match", + "op", + "value" + ], + "type": "object" + } + } + }, + "summary": "Allows to modify the upstream URL of the request.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ] + } + ], + "maintenance_mode": [ + { + "name": "Maintenance Mode", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "message": { + "default": "Service Unavailable - Maintenance", + "type": "string", + "description": "HTTP response to return" + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string", + "title": "Combine operation" + } + }, + "required": [ + "combine_op", + "operations" + ], + "type": "object", + "title": "Condition" + }, + "message_content_type": { + "default": "text/plain; charset=utf-8", + "type": "string", + "description": "Content-Type header for the response" + }, + "status": { + "default": 503, + "type": "integer", + "description": "HTTP status code to return" + } + }, + "definitions": { + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "type": "object", + "properties": { + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'left' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'left' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'left'" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'right' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'right' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'right'" + } + } + } + }, + "type": "object" + }, + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "version": "builtin", + "description": [ + "A policy which allows you to reject incoming requests with a specified status code and message. ", + "It's useful for maintenance periods or to temporarily block an API. \n", + "It allows to select a list of Upstream URLs for which to enable the maintenance mode." + ] + } + ], + "upstream_connection": [ + { + "name": "Upstream Connection", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "send_timeout": { + "exclusiveMinimum": 0, + "type": "number", + "description": "Timeout between two successive write operations (in seconds)." + }, + "read_timeout": { + "exclusiveMinimum": 0, + "type": "number", + "description": "Timeout between two successive read operations (in seconds)." + } + } + }, + "summary": "Allows to configure several options for the connections to the upstream", + "version": "builtin", + "description": "Allows to configure several options for the connections to the upstream" + } + ], + "grpc": [ + { + "name": "HTTP2 Endpoint", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "version": "builtin", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ] + } + ], + "camel": [ + { + "name": "Camel Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + } + } + }, + "summary": "Adds an Camel proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "nginx_filters": [ + { + "name": "Nginx Filter", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "required": [ + "headers" + ], + "type": "object", + "properties": { + "headers": { + "minItems": 1, + "items": { + "required": [ + "name", + "append" + ], + "type": "object", + "properties": { + "name": { + "type": "string", + "title": "Header Name" + }, + "append": { + "default": false, + "type": "boolean", + "title": "Append header to upstream" + } + } + }, + "type": "array", + "title": "Headers to filter" + } + } + }, + "summary": "Skip nginx filters on certain headers", + "version": "builtin", + "description": [ + "Nginx, by default, checks/validates some request headers. This policy allows the user to skips these checks and sends them to the upstream servers. " + ] + } + ], + "headers": [ + { + "name": "Header Modification", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "request": { + "$ref": "#/definitions/commands" + }, + "response": { + "$ref": "#/definitions/commands" + } + }, + "type": "object", + "definitions": { + "commands": { + "items": { + "required": [ + "op", + "header" + ], + "type": "object", + "properties": { + "value_type": { + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'value' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'value' as liquid." + } + ], + "default": "plain", + "type": "string", + "description": "How to evaluate 'value'" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "op": { + "oneOf": [ + { + "enum": [ + "add" + ], + "title": "Add a value to an existing header." + }, + { + "enum": [ + "set" + ], + "title": "Create the header when not set, replace its value when set." + }, + { + "enum": [ + "push" + ], + "title": "Create the header when not set, add the value when set." + }, + { + "enum": [ + "delete" + ], + "title": "Delete a header." + } + ], + "type": "string", + "description": "Operation to be applied" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + } + }, + "type": "array", + "description": "List of operations to apply to the headers" + } + } + }, + "summary": "Allows to include custom headers.", + "version": "builtin", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ] + } + ], + "rate_limit": [ + { + "name": "Edge Limiting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "redis_url": { + "type": "string", + "description": "URL of Redis" + }, + "connection_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + } + } + } + }, + "limits_exceeded_error": { + "type": "object", + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "default": 429, + "type": "integer", + "description": "The status code when requests over the limit" + } + } + }, + "leaky_bucket_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + } + } + } + }, + "fixed_window_limiters": { + "type": "array", + "items": { + "properties": { + "window": { + "default": 1, + "minimum": 0, + "type": "integer", + "description": "The time window in seconds before the request count is reset" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + }, + "key": { + "$ref": "#/definitions/key" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + } + }, + "configuration_error": { + "type": "object", + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "default": 500, + "type": "integer", + "description": "The status code when there is some configuration issue" + } + } + } + }, + "type": "object", + "definitions": { + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "type": "object", + "properties": { + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'left' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'left' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'left'" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'right' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'right' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'right'" + } + } + }, + "condition": { + "$id": "#/definitions/condition", + "properties": { + "operations": { + "minItems": 0, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "type": "string", + "default": "and" + } + }, + "type": "object", + "description": "Condition to be evaluated" + }, + "error_handling": { + "default": "exit", + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "enum": [ + "exit" + ], + "description": "Respond with an error" + }, + { + "enum": [ + "log" + ], + "description": "Let the request go through and only output logs" + } + ], + "type": "string", + "description": "How to handle an error" + }, + "key": { + "$id": "#/definitions/key", + "properties": { + "name": { + "type": "string", + "description": "The name of the key, must be unique in the scope" + }, + "scope": { + "default": "service", + "oneOf": [ + { + "enum": [ + "global" + ], + "description": "Global scope, affecting to all services" + }, + { + "enum": [ + "service" + ], + "description": "Service scope, affecting to one service" + } + ], + "type": "string", + "description": "Scope of the key" + }, + "name_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'name' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'name' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'name'" + } + }, + "type": "object", + "description": "The key corresponding to the limiter object" + } + } + }, + "summary": "Adds rate limit.", + "version": "builtin", + "description": [ + "This policy adds rate limit." + ] + } + ], + "custom_metrics": [ + { + "name": "Custom Metrics", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "definitions": { + "custom_metrics_rule": { + "properties": { + "increment": { + "default": "1", + "description": "How many hits should be incremented, liquid value ", + "type": "string", + "title": "Increment " + }, + "metric": { + "default": "", + "description": "Metric name to increment in case of condition match (liquid input)", + "type": "string", + "title": "Metric to increment " + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string", + "title": "Combine operation" + } + }, + "required": [ + "combine_op", + "operations" + ], + "type": "object", + "title": "Condition" + } + }, + "type": "object", + "required": [ + "metric", + "condition", + "increment" + ] + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "type": "object", + "properties": { + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'left' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'left' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'left'" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'right' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'right' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'right'" + } + } + } + }, + "properties": { + "rules": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/custom_metrics_rule" + } + } + } + }, + "summary": "Custom metrics on Nginx post actions ", + "version": "builtin", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ] + } + ], + "default_credentials": [ + { + "name": "Anonymous Access", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "required": [ + "auth_type" + ], + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "user_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "user_key" + ] + } + }, + "required": [ + "user_key" + ] + }, + { + "properties": { + "app_id": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_key": { + "type": "string" + } + }, + "required": [ + "app_id", + "app_key" + ] + } + ] + } + }, + "type": "object", + "properties": { + "auth_type": { + "enum": [ + "user_key", + "app_id_and_app_key" + ], + "type": "string", + "default": "user_key" + } + } + }, + "summary": "Provides default credentials for unauthenticated requests.", + "version": "builtin", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ] + } + ], + "soap": [ + { + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "mapping_rules": { + "items": { + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object", + "properties": { + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + }, + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + } + } + }, + "type": "array", + "description": "Mapping rules." + } + } + }, + "summary": "Adds support for a small subset of SOAP.", + "version": "builtin", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ] + } + ], + "tls_validation": [ + { + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "whitelist": { + "description": "Individual certificates and CA certificates to be whitelisted.", + "$ref": "#/definitions/store", + "title": "Certificate Whitelist" + } + }, + "type": "object", + "definitions": { + "store": { + "$id": "#/definitions/store", + "type": "array", + "items": { + "$ref": "#/definitions/certificate" + } + }, + "certificate": { + "$id": "#/definitions/certificate", + "type": "object", + "properties": { + "pem_certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string", + "title": "PEM formatted certificate" + } + } + } + } + }, + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "version": "builtin", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ] + } + ], + "url_rewriting": [ + { + "name": "URL Rewriting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "query_args_commands": { + "items": { + "required": [ + "op", + "arg" + ], + "type": "object", + "properties": { + "value_type": { + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'value' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'value' as liquid." + } + ], + "default": "plain", + "type": "string", + "description": "How to evaluate 'value'" + }, + "methods": { + "$ref": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "op": { + "oneOf": [ + { + "enum": [ + "add" + ], + "title": "Add a value to an existing argument" + }, + { + "enum": [ + "set" + ], + "title": "Create the arg when not set, replace its value when set" + }, + { + "enum": [ + "push" + ], + "title": "Create the arg when not set, add the value when set" + }, + { + "enum": [ + "delete" + ], + "title": "Delete an arg" + } + ], + "type": "string", + "description": "Operation to apply to the query argument" + }, + "value": { + "type": "string", + "description": "Value" + } + } + }, + "type": "array", + "description": "List of commands to apply to the query string args" + }, + "commands": { + "items": { + "required": [ + "op", + "regex", + "replace" + ], + "type": "object", + "properties": { + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "op": { + "oneOf": [ + { + "enum": [ + "sub" + ], + "title": "Substitute the first match of the regex applied." + }, + { + "enum": [ + "gsub" + ], + "title": "Substitute all the matches of the regex applied." + } + ], + "type": "string", + "description": "Operation to be applied (sub or gsub)" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + } + } + }, + "type": "array", + "description": "List of rewriting commands to be applied" + } + }, + "definitions": { + "methods": { + "$id": "#/definitions/methods", + "items": { + "type": "string", + "oneOf": [ + { + "enum": [ + "GET" + ], + "title": "GET" + }, + { + "enum": [ + "POST" + ], + "title": "POST" + }, + { + "enum": [ + "PUT" + ], + "title": "PUT" + }, + { + "enum": [ + "PATCH" + ], + "title": "PATCH" + }, + { + "enum": [ + "DELETE" + ], + "title": "DELETE" + }, + { + "enum": [ + "HEAD" + ], + "title": "HEAD" + }, + { + "enum": [ + "OPTIONS" + ], + "title": "OPTIONS" + } + ] + }, + "type": "array", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + } + }, + "type": "object" + }, + "summary": "Allows to modify the path of a request.", + "version": "builtin", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ] + } + ], + "echo": [ + { + "name": "Echo", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "exit": { + "oneOf": [ + { + "enum": [ + "request" + ], + "title": "Interrupt the processing of the request." + }, + { + "enum": [ + "phase" + ], + "title": "Skip only the rewrite phase." + } + ], + "type": "string", + "description": "Exit mode" + }, + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + } + } + }, + "summary": "Prints the request back to the client and optionally sets a status code.", + "version": "builtin", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ] + } + ], + "upstream_mtls": [ + { + "name": "Upstream Mutual TLS", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "verify": { + "type": "boolean", + "description": "Verify upstream connection" + }, + "certificate_type": { + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string", + "title": "Certificate type" + }, + "certificate_key_type": { + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string", + "title": "Certificate key type" + }, + "ca_certificates": { + "items": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string", + "title": "PEM formatted certificate" + }, + "type": "array", + "title": "CA certificates" + } + }, + "description": "Built-in Upstream MTLS APIcast policy", + "dependencies": { + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key_type": { + "const": "embedded" + }, + "certificate_key": { + "type": "string", + "format": "data-url", + "title": "Certificate Key" + } + } + }, + { + "properties": { + "certificate_key_type": { + "const": "path" + }, + "certificate_key": { + "type": "string", + "title": "Certificate Key" + } + } + } + ] + }, + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate": { + "type": "string", + "format": "data-url", + "title": "Certificate" + }, + "certificate_type": { + "const": "embedded" + } + } + }, + { + "properties": { + "certificate": { + "type": "string", + "title": "Certificate" + }, + "certificate_type": { + "const": "path" + } + } + } + ] + } + }, + "required": [ + "certificate_type", + "certificate_key_type" + ], + "title": "Upstream MTLS" + }, + "summary": "Certificates to be used with the upstream API", + "version": "builtin", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config" + } + ], + "cors": [ + { + "name": "CORS Request Handling", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "configuration": { + "type": "object", + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "type": "array", + "description": "Allowed headers" + }, + "allow_methods": { + "items": { + "type": "string", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "type": "array", + "description": "Allowed methods" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. 'https://example.com') or '*'. If left blank, the value of the 'Origin' request header will be used. In order to allow more than one origin it is possible to use a regular expression, if it matches with Origin header value, the value will be set to the Origin Value. In case it does not match, the header will not set at all. Example: '(api|web).test.com' wil match both 'api.test.com' and 'web.test.com'." + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "max_age": { + "type": "integer", + "description": "The ttl of the preflight response (default: 600)" + } + } + }, + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "version": "builtin", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ] + } + ], + "http_proxy": [ + { + "name": "Proxy Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + } + } + }, + "summary": "Adds an HTTP proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "conditional": [ + { + "name": "Conditional Policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "condition" + ], + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "type": "array", + "description": "The policy chain to execute when the condition is true" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "type": "object", + "definitions": { + "condition": { + "$id": "#/definitions/condition", + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "type": "string", + "default": "and" + } + }, + "type": "object", + "description": "Condition to be evaluated" + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "type": "object", + "properties": { + "left": { + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'left' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'left' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'left'" + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=" + ] + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "enum": [ + "plain" + ], + "title": "Evaluate 'right' as plain text." + }, + { + "enum": [ + "liquid" + ], + "title": "Evaluate 'right' as liquid." + } + ], + "type": "string", + "description": "How to evaluate 'right'" + } + } + } + } + }, + "summary": "Executes a policy chain conditionally.", + "version": "builtin", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ] + } + ], + "3scale_batcher": [ + { + "name": "3scale Batcher", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + } + }, + "summary": "Caches auths from 3scale backend and batches reports.", + "version": "builtin", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ] + } + ], + "token_introspection": [ + { + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "properties": { + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + }, + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + } + }, + "required": [ + "client_id", + "client_secret", + "introspection_url" + ] + } + ] + } + }, + "type": "object", + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "minimum": 1, + "type": "integer", + "description": "Max TTL for cached tokens" + }, + "auth_type": { + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ], + "type": "string", + "default": "client_id+client_secret" + }, + "max_cached_tokens": { + "maximum": 10000, + "minimum": 0, + "type": "integer", + "description": "Max number of tokens to cache" + } + } + }, + "summary": "Configures OAuth 2.0 Token Introspection.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ] + } + ], + "websocket": [ + { + "name": "Websocket", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": {} + }, + "summary": "Allows websocket connection pass through.", + "version": "builtin", + "description": [ + "A policy which allows Websocket traffic for the service" + ] + } + ] + } +} diff --git a/gateway/src/apicast/version.lua b/gateway/src/apicast/version.lua index 81bfe1715..dbd4c2475 100644 --- a/gateway/src/apicast/version.lua +++ b/gateway/src/apicast/version.lua @@ -1 +1 @@ -return "3.14.0" +return "3.15.0"