diff --git a/schemas/acl/3.8.x.json b/schemas/acl/3.8.x.json index f0f2fd1..8ed6b9b 100644 --- a/schemas/acl/3.8.x.json +++ b/schemas/acl/3.8.x.json @@ -1,37 +1,24 @@ { - "entity_checks": [ - { - "only_one_of": [ - "config.allow", - "config.deny" - ] - }, - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -48,8 +35,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -58,48 +44,62 @@ { "allow": { "description": "Arbitrary group names that are allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "deny": { "description": "Arbitrary group names that are not allowed to consume the service or route. One of `config.allow` or `config.deny` must be specified.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "hide_groups_header": { - "required": true, - "default": false, + "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service.", "type": "boolean", - "description": "If enabled (`true`), prevents the `X-Consumer-Groups` header from being sent in the request to the upstream service." + "required": true, + "default": false } }, { "include_consumer_groups": { "required": false, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "always_use_authenticated_groups": { - "required": true, - "default": false, + "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous.", "type": "boolean", - "description": "If enabled (`true`), the authenticated groups will always be used even when an authenticated consumer already exists. If the authenticated groups don't exist, it will fallback to use the groups associated with the consumer. By default the authenticated groups will only be used when there is no consumer or the consumer is anonymous." + "required": true, + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "only_one_of": [ + "config.allow", + "config.deny" + ] + }, + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/acme/3.8.x.json b/schemas/acme/3.8.x.json index 411e23d..23cd428 100644 --- a/schemas/acme/3.8.x.json +++ b/schemas/acme/3.8.x.json @@ -1,88 +1,40 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": true - }, - "then_field": "config.tos_accepted", - "if_match": { - "one_of": [ - "https://acme-v02.api.letsencrypt.org", - "https://acme-staging-v02.api.letsencrypt.org" - ] - }, - "if_field": "config.api_uri", - "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/" - } - }, - { - "conditional": { - "then_field": "config.storage_config.redis.host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.storage" - } - }, - { - "conditional": { - "then_field": "config.storage_config.redis.port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.storage" - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.storage" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "service": { - "type": "foreign", "reference": "services", "eq": null, + "type": "foreign", "description": "A reference to the 'services' table with a null value allowed." } }, { "route": { - "type": "foreign", "reference": "routes", "eq": null, + "type": "foreign", "description": "A reference to the 'routes' table with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -99,8 +51,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -108,24 +59,25 @@ "fields": [ { "account_email": { + "description": "The account identifier. Can be reused in a different plugin instance.", "required": true, - "referenceable": true, "match": "%w*%p*@+%w*%.?%w*", "type": "string", - "encrypted": true, - "description": "The account identifier. Can be reused in a different plugin instance." + "referenceable": true, + "encrypted": true } }, { "account_key": { - "required": false, + "description": "The private key associated with the account.", "type": "record", + "required": false, "fields": [ { "key_id": { - "required": true, "description": "The Key ID.", - "type": "string" + "type": "string", + "required": true } }, { @@ -134,109 +86,109 @@ "type": "string" } } - ], - "description": "The private key associated with the account." + ] } }, { "api_uri": { - "default": "https://acme-v02.api.letsencrypt.org/directory", "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "default": "https://acme-v02.api.letsencrypt.org/directory" } }, { "tos_accepted": { - "default": false, "description": "If you are using Let's Encrypt, you must set this to `true` to agree the terms of service.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "eab_kid": { + "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "External account binding (EAB) key id. You usually don't need to set this unless it is explicitly required by the CA." + "referenceable": true } }, { "eab_hmac_key": { + "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "External account binding (EAB) base64-encoded URL string of the HMAC key. You usually don't need to set this unless it is explicitly required by the CA." + "referenceable": true } }, { "cert_type": { + "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate.", "type": "string", "default": "rsa", "one_of": [ "rsa", "ecc" - ], - "description": "The certificate type to create. The possible values are `'rsa'` for RSA certificate or `'ecc'` for EC certificate." + ] } }, { "rsa_key_size": { + "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096.", "type": "number", "default": 4096, "one_of": [ 2048, 3072, 4096 - ], - "description": "RSA private key size for the certificate. The possible values are 2048, 3072, or 4096." + ] } }, { "renew_threshold_days": { - "default": 14, + "description": "Days remaining to renew the certificate before it expires.", "type": "number", - "description": "Days remaining to renew the certificate before it expires." + "default": 14 } }, { "domains": { + "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')", "type": "array", "elements": { + "type": "string", "match_all": [ { "pattern": "^[^*]*%*?[^*]*$", "err": "invalid wildcard: must have at most one wildcard" } ], - "type": "string", "match_any": { - "err": "invalid wildcard: must be placed at leftmost or rightmost label", "patterns": [ "^%*%.", "%.%*$", "^[^*]*$" - ] + ], + "err": "invalid wildcard: must be placed at leftmost or rightmost label" } - }, - "description": "An array of strings representing hosts. A valid host is a string containing one or more labels separated by periods, with at most one wildcard label ('*')" + } } }, { "allow_any_domain": { - "default": false, + "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list.", "type": "boolean", - "description": "If set to `true`, the plugin allows all domains and ignores any values in the `domains` list." + "default": false } }, { "fail_backoff_minutes": { - "default": 5, + "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate.", "type": "number", - "description": "Minutes to wait for each domain that fails to create a certificate. This applies to both a\nnew certificate and a renewal certificate." + "default": 5 } }, { "storage": { + "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well.", "type": "string", "default": "shm", "one_of": [ @@ -245,8 +197,7 @@ "redis", "consul", "vault" - ], - "description": "The backend storage type to use. The possible values are `'kong'`, `'shm'`, `'redis'`, `'consul'`, or `'vault'`. In DB-less mode, `'kong'` storage is unavailable. Note that `'shm'` storage does not persist during Kong restarts and does not work for Kong running on different machines, so consider using one of `'kong'`, `'redis'`, `'consul'`, or `'vault'` in production. Please refer to the Hybrid Mode sections below as well." + ] } }, { @@ -257,14 +208,14 @@ "fields": [ { "shm_name": { - "default": "kong", + "description": "Name of shared memory zone used for Kong API gateway storage", "type": "string", - "description": "Name of shared memory zone used for Kong API gateway storage" + "default": "kong" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -272,8 +223,8 @@ "fields": [ ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -281,161 +232,191 @@ "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } }, { "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { - "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true, + "encrypted": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "ssl": { - "required": false, - "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "required": false, + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "required": false, + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "extra_options": { + "description": "Custom ACME Redis options", + "type": "record", "fields": [ { "namespace": { + "description": "A namespace to prepend to all keys stored in Redis.", "required": true, "type": "string", - "default": "", "len_min": 0, - "description": "A namespace to prepend to all keys stored in Redis." + "default": "" } }, { "scan_count": { - "required": false, - "default": 10, "description": "The number of keys to return in Redis SCAN calls.", - "type": "number" + "type": "number", + "required": false, + "default": 10 } } ], - "description": "Custom ACME Redis options", - "required": true, - "type": "record" + "required": true } } ], - "required": true, + "type": "record", "shorthand_fields": [ { "auth": { - "deprecation": { - "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", - "removal_in_version": "4.0" - }, "len_min": 0, + "type": "string", "translate_backwards": [ "password" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "password" + ] + } + ], + "message": "acme: config.storage_config.redis.auth is deprecated, please use config.storage_config.redis.password instead", + "removal_in_version": "4.0" + } } }, { "ssl_server_name": { - "deprecation": { - "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "server_name" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "server_name" + ] + } + ], + "message": "acme: config.storage_config.redis.ssl_server_name is deprecated, please use config.storage_config.redis.server_name instead", + "removal_in_version": "4.0" + } } }, { "namespace": { - "deprecation": { - "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", - "removal_in_version": "4.0" - }, "len_min": 0, + "type": "string", "translate_backwards": [ "extra_options", "namespace" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "namespace" + ] + } + ], + "message": "acme: config.storage_config.redis.namespace is deprecated, please use config.storage_config.redis.extra_options.namespace instead", + "removal_in_version": "4.0" + } } }, { "scan_count": { - "deprecation": { - "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "extra_options", "scan_count" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "extra_options", + "scan_count" + ] + } + ], + "message": "acme: config.storage_config.redis.scan_count is deprecated, please use config.storage_config.redis.extra_options.scan_count instead", + "removal_in_version": "4.0" + } } } ], - "type": "record" + "required": true } }, { @@ -443,25 +424,25 @@ "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -478,14 +459,14 @@ }, { "token": { - "referenceable": true, "description": "Consul ACL token.", - "type": "string" + "type": "string", + "referenceable": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -493,25 +474,25 @@ "fields": [ { "https": { - "default": false, "description": "Boolean representation of https.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -528,16 +509,16 @@ }, { "token": { - "referenceable": true, "description": "Consul ACL token.", - "type": "string" + "type": "string", + "referenceable": true } }, { "tls_verify": { - "default": true, "description": "Turn on TLS verification.", - "type": "boolean" + "type": "boolean", + "default": true } }, { @@ -549,12 +530,12 @@ { "auth_method": { "description": "Auth Method, default to token, can be 'token' or 'kubernetes'.", + "type": "string", "default": "token", "one_of": [ "token", "kubernetes" - ], - "type": "string" + ] } }, { @@ -576,31 +557,80 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "preferred_chain": { - "type": "string", - "description": "A string value that specifies the preferred certificate chain to use when generating certificates." + "description": "A string value that specifies the preferred certificate chain to use when generating certificates.", + "type": "string" } }, { "enable_ipv4_common_name": { - "default": true, + "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates.", "type": "boolean", - "description": "A boolean value that controls whether to include the IPv4 address in the common name field of generated certificates." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.tos_accepted", + "if_field": "config.api_uri", + "then_err": "terms of service must be accepted, see https://letsencrypt.org/repository/", + "if_match": { + "one_of": [ + "https://acme-v02.api.letsencrypt.org", + "https://acme-staging-v02.api.letsencrypt.org" + ] + }, + "then_match": { + "eq": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.storage", + "if_match": { + "eq": "redis" + }, + "then_field": "config.storage_config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.storage" + ] } } ] diff --git a/schemas/ai-azure-content-safety/3.8.x.json b/schemas/ai-azure-content-safety/3.8.x.json index 8aaf5b9..8b87214 100644 --- a/schemas/ai-azure-content-safety/3.8.x.json +++ b/schemas/ai-azure-content-safety/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,23 +19,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,131 +43,134 @@ "fields": [ { "content_safety_url": { - "required": true, - "referenceable": true, "description": "Full URL, inc protocol, of the Azure Content Safety instance.", - "type": "string" + "required": true, + "type": "string", + "referenceable": true } }, { "azure_api_version": { + "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format.", "required": true, - "len_min": 1, - "default": "2023-10-01", "type": "string", - "description": "Sets the ?api-version URL parameter, used for defining the Azure Content Services interchange format." + "len_min": 1, + "default": "2023-10-01" } }, { "azure_use_managed_identity": { - "default": false, + "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity", "type": "boolean", - "description": "If checked, uses (if set) `azure_client_id`, `azure_client_secret`, and/or `azure_tenant_id` for Azure authentication, via Managed or User-assigned identity" + "default": false } }, { "azure_client_id": { - "required": false, "description": "If `azure_use_managed_identity` is true, set the client ID if required.", - "type": "string" + "type": "string", + "required": false } }, { "azure_client_secret": { - "required": false, "description": "If `azure_use_managed_identity` is true, set the client secret if required.", - "type": "string" + "type": "string", + "required": false } }, { "azure_tenant_id": { - "required": false, "description": "If `azure_use_managed_identity` is true, set the tenant ID if required.", - "type": "string" + "type": "string", + "required": false } }, { "content_safety_key": { + "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If `azure_use_managed_identity` is true, set the API key to call Content Safety." + "referenceable": true } }, { "text_source": { + "description": "Select where to pick the 'text' for the Azure Content Services request.", "type": "string", "default": "concatenate_all_content", "one_of": [ "concatenate_all_content", "concatenate_user_content" - ], - "description": "Select where to pick the 'text' for the Azure Content Services request." + ] } }, { "categories": { + "description": "Array of categories, and their thresholds, to measure on.", "type": "array", "elements": { - "required": true, "fields": [ { "name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "rejection_level": { - "required": true, - "type": "integer" + "type": "integer", + "required": true } } ], + "required": true, "type": "record" - }, - "description": "Array of categories, and their thresholds, to measure on." + } } }, { "reveal_failure_reason": { - "default": true, "description": "Set true to tell the caller why their request was rejected, if so.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "output_type": { + "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories", "type": "string", "default": "FourSeverityLevels", "one_of": [ "FourSeverityLevels", "EightSeverityLevels" - ], - "description": "See https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter#content-filtering-categories" + ] } }, { "blocklist_names": { "description": "Use these configured blocklists (in Azure Content Services) when inspecting content.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "halt_on_blocklist_hit": { - "default": true, "description": "Tells Azure to reject the request if any blocklist filter is hit.", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-prompt-decorator/3.8.x.json b/schemas/ai-prompt-decorator/3.8.x.json index 8feb59d..5465e8b 100644 --- a/schemas/ai-prompt-decorator/3.8.x.json +++ b/schemas/ai-prompt-decorator/3.8.x.json @@ -1,15 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.prompts.prepend", - "config.prompts.append" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -26,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -35,92 +27,100 @@ "fields": [ { "prompts": { - "required": false, "fields": [ { "prepend": { + "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages.", "required": false, + "len_max": 15, "elements": { - "required": false, "fields": [ { "role": { - "required": true, "default": "system", + "type": "string", + "required": true, "one_of": [ "system", "assistant", "user" - ], - "type": "string" + ] } }, { "content": { - "required": true, + "len_min": 1, "type": "string", "len_max": 500, - "len_min": 1 + "required": true } } ], + "required": false, "type": "record" }, - "type": "array", - "len_max": 15, - "description": "Insert chat messages at the beginning of the chat message array. This array preserves exact order when adding messages." + "type": "array" } }, { "append": { + "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages.", "required": false, + "len_max": 15, "elements": { - "required": false, "fields": [ { "role": { - "required": true, "default": "system", + "type": "string", + "required": true, "one_of": [ "system", "assistant", "user" - ], - "type": "string" + ] } }, { "content": { - "required": true, + "len_min": 1, "type": "string", "len_max": 500, - "len_min": 1 + "required": true } } ], + "required": false, "type": "record" }, - "type": "array", - "len_max": 15, - "description": "Insert chat messages at the end of the chat message array. This array preserves exact order when adding messages." + "type": "array" } } ], + "required": false, "type": "record" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.prompts.prepend", + "config.prompts.append" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-prompt-guard/3.8.x.json b/schemas/ai-prompt-guard/3.8.x.json index a25b0ad..83d1ea4 100644 --- a/schemas/ai-prompt-guard/3.8.x.json +++ b/schemas/ai-prompt-guard/3.8.x.json @@ -1,27 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow_patterns", - "config.deny_patterns" - ] - }, - { - "conditional": { - "then_field": "config.allow_all_conversation_history", - "if_match": { - "eq": true - }, - "then_match": { - "eq": false - }, - "if_field": "config.match_all_roles" - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -38,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -47,57 +27,77 @@ "fields": [ { "allow_patterns": { + "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat.", "required": false, + "len_max": 10, "elements": { + "len_min": 1, "len_max": 500, - "type": "string", - "len_min": 1 + "type": "string" }, - "type": "array", - "len_max": 10, - "description": "Array of valid regex patterns, or valid questions from the 'user' role in chat." + "type": "array" } }, { "deny_patterns": { + "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat.", "required": false, + "len_max": 10, "elements": { + "len_min": 1, "len_max": 500, - "type": "string", - "len_min": 1 + "type": "string" }, - "type": "array", - "len_max": 10, - "description": "Array of invalid regex patterns, or invalid questions from the 'user' role in chat." + "type": "array" } }, { "allow_all_conversation_history": { - "required": true, - "default": false, + "description": "If true, will ignore all previous chat prompts from the conversation history.", "type": "boolean", - "description": "If true, will ignore all previous chat prompts from the conversation history." + "required": true, + "default": false } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } }, { "match_all_roles": { - "required": true, - "default": false, + "description": "If true, will match all roles in addition to 'user' role in conversation history.", "type": "boolean", - "description": "If true, will match all roles in addition to 'user' role in conversation history." + "required": true, + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow_patterns", + "config.deny_patterns" + ] + }, + { + "conditional": { + "if_field": "config.match_all_roles", + "if_match": { + "eq": true + }, + "then_field": "config.allow_all_conversation_history", + "then_match": { + "eq": false + } } } ] diff --git a/schemas/ai-prompt-template/3.8.x.json b/schemas/ai-prompt-template/3.8.x.json index 3ca7328..6c8f6ed 100644 --- a/schemas/ai-prompt-template/3.8.x.json +++ b/schemas/ai-prompt-template/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,59 +27,62 @@ "fields": [ { "templates": { - "required": true, + "description": "Array of templates available to the request context.", "type": "array", + "required": true, "elements": { - "required": true, "fields": [ { "name": { - "required": true, + "description": "Unique name for the template, can be called with `{template://NAME}`", "type": "string", - "description": "Unique name for the template, can be called with `{template://NAME}`" + "required": true } }, { "template": { - "required": true, + "description": "Template string for this request, supports mustache-style `{{placeholders}}`", "type": "string", - "description": "Template string for this request, supports mustache-style `{{placeholders}}`" + "required": true } } ], + "required": true, "type": "record" - }, - "description": "Array of templates available to the request context." + } } }, { "allow_untemplated_requests": { - "required": true, - "default": true, + "description": "Set true to allow requests that don't call or match any template.", "type": "boolean", - "description": "Set true to allow requests that don't call or match any template." + "required": true, + "default": true } }, { "log_original_request": { - "required": true, - "default": false, + "description": "Set true to add the original request to the Kong log plugin(s) output.", "type": "boolean", - "description": "Set true to add the original request to the Kong log plugin(s) output." + "required": true, + "default": false } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-proxy-advanced/3.8.x.json b/schemas/ai-proxy-advanced/3.8.x.json index f3bdf31..7be23c4 100644 --- a/schemas/ai-proxy-advanced/3.8.x.json +++ b/schemas/ai-proxy-advanced/3.8.x.json @@ -1,24 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.targets" - ] - } - }, - { - "custom_entity_check": { - "field_sources": [ - "config.targets", - "config.balancer" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -44,10 +27,10 @@ "fields": [ { "balancer": { - "required": true, "fields": [ { "algorithm": { + "description": "Which load balancing algorithm to use.", "type": "string", "default": "round-robin", "one_of": [ @@ -56,420 +39,320 @@ "lowest-usage", "consistent-hashing", "semantic" - ], - "description": "Which load balancing algorithm to use." + ] } }, { "tokens_count_strategy": { + "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`.", "type": "string", "default": "total-tokens", "one_of": [ "total-tokens", "prompt-tokens", "completion-tokens" - ], - "description": "What tokens to use for usage calculation. Available values are: `total_tokens` `prompt_tokens`, and `completion_tokens`." + ] } }, { "latency_strategy": { + "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`.", "type": "string", "default": "tpot", "one_of": [ "tpot", "e2e" - ], - "description": "What metrics to use for latency. Available values are: `tpot` (time-per-output-token) and `e2e`." + ] } }, { "hash_on_header": { - "default": "X-Kong-LLM-Request-ID", + "description": "The header to use for consistent-hashing.", "type": "string", - "description": "The header to use for consistent-hashing." + "default": "X-Kong-LLM-Request-ID" } }, { "slots": { + "description": "The number of slots in the load balancer algorithm.", + "type": "integer", "between": [ 10, 65536 ], - "default": 10000, - "type": "integer", - "description": "The number of slots in the load balancer algorithm." + "default": 10000 } }, { "retries": { + "description": "The number of retries to execute upon failure to proxy.", + "type": "integer", "between": [ 0, 32767 ], - "default": 5, - "type": "integer", - "description": "The number of retries to execute upon failure to proxy." + "default": 5 } }, { "connect_timeout": { + "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000, - "type": "integer" + "default": 60000 } }, { "write_timeout": { + "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000, - "type": "integer" + "default": 60000 } }, { "read_timeout": { + "type": "integer", "between": [ 1, 2147483646 ], - "default": 60000, - "type": "integer" + "default": 60000 } } ], + "required": true, "type": "record" } }, { "embeddings": { - "required": false, "fields": [ { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true, + "encrypted": true } }, { "param_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "description": "If AI model requires authentication via query parameter, specify its name here." + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true, + "encrypted": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true, + "encrypted": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, + "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "description": "Use service account auth for GCP-based providers and models." + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true, + "encrypted": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "allow_override": { - "required": false, - "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "required": true, "one_of": [ "openai", "mistral" - ], - "type": "string", - "description": "AI provider format to use for embeddings API" + ] } }, { "name": { + "description": "Model name to execute.", + "type": "string", "required": true, "one_of": [ "text-embedding-3-large", "text-embedding-3-small", "mistral-embed" - ], - "type": "string", - "description": "Model name to execute." + ] } }, { "options": { - "required": false, "description": "Key/value settings for the model", + "type": "record", "fields": [ { "upstream_url": { - "required": false, + "description": "upstream url for the embeddings", "type": "string", - "description": "upstream url for the embeddings" + "required": false } } ], - "type": "record" + "required": false } } ], + "required": true, "type": "record" } } ], + "required": false, "type": "record" } }, { "vectordb": { - "required": false, "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "required": true, "one_of": [ "redis" - ], - "type": "string", - "description": "which vector database driver to use" + ] } }, { "dimensions": { - "required": true, + "description": "the desired dimensionality for the vectors", "type": "integer", - "description": "the desired dimensionality for the vectors" + "required": true } }, { "threshold": { - "required": true, + "description": "the default similarity threshold for accepting semantic search results (float)", "type": "number", - "description": "the default similarity threshold for accepting semantic search results (float)" + "required": true } }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "required": true, "one_of": [ "cosine", "euclidean" - ], - "type": "string", - "description": "the distance metric to use for vector searches" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { @@ -479,439 +362,572 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 + } + }, + { + "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", + "required": false, + "type": "boolean", + "default": false + } + }, + { + "server_name": { + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string", + "required": false + } + }, + { + "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", + "required": false, + "type": "integer", + "default": 5 + } + }, + { + "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "ssl": { - "required": false, - "default": false, - "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." - } + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] }, { - "ssl_verify": { - "required": false, - "default": false, - "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" } }, { - "server_name": { - "required": false, - "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] } }, { - "cluster_max_redirections": { - "required": false, - "default": 5, - "description": "Maximum retry attempts for redirection.", - "type": "integer" + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] } }, { - "connection_is_proxied": { - "required": false, - "default": false, - "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } } ], + "required": false, "type": "record" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } }, { "model_name_header": { - "default": true, + "description": "Display the model name selected in the X-Kong-LLM-Model response header", "type": "boolean", - "description": "Display the model name selected in the X-Kong-LLM-Model response header" + "default": true } }, { "targets": { + "type": "array", "required": true, "elements": { "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true, + "encrypted": true } }, { "param_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "description": "If AI model requires authentication via query parameter, specify its name here." + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true, + "encrypted": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true, + "encrypted": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, + "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "description": "Use service account auth for GCP-based providers and models." + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true, + "encrypted": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "allow_override": { - "required": false, - "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -922,172 +938,170 @@ "llama2", "gemini", "bedrock" - ], - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + ] } }, { "name": { - "required": false, + "description": "Model name to execute.", "type": "string", - "description": "Model name to execute." + "required": false } }, { "options": { - "required": false, "description": "Key/value settings for the model", + "type": "record", "fields": [ { "max_tokens": { - "required": false, - "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models." + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt." + "required": false } }, { "output_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI." + "required": false } }, { "temperature": { - "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "type": "number", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models." + "required": false } }, { "top_p": { - "required": false, + "description": "Defines the top-p probability mass, if supported.", "type": "number", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported." + "required": false } }, { "top_k": { - "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "type": "integer", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported." + "required": false } }, { "anthropic_version": { - "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "required": false } }, { "azure_instance": { - "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", "type": "string", - "description": "'api-version' for Azure OpenAI instances." + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "type": "string", - "description": "If using llama2 provider, select the upstream message format." + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "type": "string", - "description": "If using mistral provider, select the upstream message format." + ] } }, { "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "type": "string" } }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string" + "type": "string", + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string", - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + "required": false } }, { "project_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the project ID." + "required": false } }, { "location_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the location ID." + "required": false } } ], + "required": false, "entity_checks": [ { "mutually_required": [ @@ -1102,86 +1116,87 @@ }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, "type": "record" } } ], - "type": "record" + "required": false } } ], + "required": true, "type": "record" } }, { "weight": { + "description": "The weight this target gets within the upstream loadbalancer (1-65535).", + "type": "integer", "between": [ 1, 65535 ], - "default": 100, - "type": "integer", - "description": "The weight this target gets within the upstream loadbalancer (1-65535)." + "default": 100 } }, { "description": { + "description": "The semantic description of the target, required if using semantic load balancing.", "required": false, - "type": "string", - "description": "The semantic description of the target, required if using semantic load balancing." + "type": "string" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_field": "auth.allow_override", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -1199,100 +1214,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -1304,15 +1319,30 @@ ] } } - ], - "type": "record" - }, - "type": "array" + ] + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.targets" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config.targets", + "config.balancer" + ] } } ] diff --git a/schemas/ai-proxy/3.8.x.json b/schemas/ai-proxy/3.8.x.json index c8a3294..46d054a 100644 --- a/schemas/ai-proxy/3.8.x.json +++ b/schemas/ai-proxy/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,151 +27,152 @@ "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "type": "string", - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation." + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", "type": "string", - "description": "If AI model requires authentication via Authorization or API key header, specify its name here." + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true, + "encrypted": true } }, { "param_name": { - "required": false, - "referenceable": true, + "description": "If AI model requires authentication via query parameter, specify its name here.", "type": "string", - "description": "If AI model requires authentication via query parameter, specify its name here." + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true, + "encrypted": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "type": "string", - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body." + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, + "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", "type": "boolean", - "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models." + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID." + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true, + "encrypted": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", "type": "string", - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID." + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, + "description": "Use service account auth for GCP-based providers and models.", "type": "boolean", - "description": "Use service account auth for GCP-based providers and models." + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true, + "encrypted": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true, + "encrypted": true } }, { "allow_override": { - "required": false, - "default": false, + "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", "type": "boolean", - "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin." + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -185,172 +183,170 @@ "llama2", "gemini", "bedrock" - ], - "type": "string", - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats." + ] } }, { "name": { - "required": false, + "description": "Model name to execute.", "type": "string", - "description": "Model name to execute." + "required": false } }, { "options": { - "required": false, "description": "Key/value settings for the model", + "type": "record", "fields": [ { "max_tokens": { - "required": false, - "default": 256, + "description": "Defines the max_tokens, if using chat or completion models.", "type": "integer", - "description": "Defines the max_tokens, if using chat or completion models." + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in your prompt.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in your prompt." + "required": false } }, { "output_cost": { - "required": false, + "description": "Defines the cost per 1M tokens in the output of the AI.", "type": "number", "gt": 0, - "description": "Defines the cost per 1M tokens in the output of the AI." + "required": false } }, { "temperature": { - "required": false, + "description": "Defines the matching temperature, if using chat or completion models.", "type": "number", "between": [ 0, 5 ], - "description": "Defines the matching temperature, if using chat or completion models." + "required": false } }, { "top_p": { - "required": false, + "description": "Defines the top-p probability mass, if supported.", "type": "number", "between": [ 0, 1 ], - "description": "Defines the top-p probability mass, if supported." + "required": false } }, { "top_k": { - "required": false, + "description": "Defines the top-k most likely tokens, if supported.", "type": "integer", "between": [ 0, 500 ], - "description": "Defines the top-k most likely tokens, if supported." + "required": false } }, { "anthropic_version": { - "required": false, + "description": "Defines the schema/API version, if using Anthropic provider.", "type": "string", - "description": "Defines the schema/API version, if using Anthropic provider." + "required": false } }, { "azure_instance": { - "required": false, + "description": "Instance name for Azure OpenAI hosted models.", "type": "string", - "description": "Instance name for Azure OpenAI hosted models." + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", + "description": "'api-version' for Azure OpenAI instances.", "type": "string", - "description": "'api-version' for Azure OpenAI instances." + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, + "description": "Deployment ID for Azure OpenAI instances.", "type": "string", - "description": "Deployment ID for Azure OpenAI instances." + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "type": "string", - "description": "If using llama2 provider, select the upstream message format." + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "type": "string", - "description": "If using mistral provider, select the upstream message format." + ] } }, { "upstream_url": { + "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", "required": false, - "type": "string", - "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint." + "type": "string" } }, { "upstream_path": { - "required": false, "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", - "type": "string" + "type": "string", + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, + "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", "type": "string", - "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only)." + "required": false } }, { "project_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the project ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the project ID." + "required": false } }, { "location_id": { - "required": false, + "description": "If running Gemini on Vertex, specify the location ID.", "type": "string", - "description": "If running Gemini on Vertex, specify the location ID." + "required": false } } ], + "required": false, "entity_checks": [ { "mutually_required": [ @@ -365,96 +361,97 @@ }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, "type": "record" } } ], - "type": "record" + "required": false } } ], + "required": true, "type": "record" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, + "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output." + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, + "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", "type": "boolean", - "description": "If enabled, will log the request and response body into the Kong log plugin(s) output." + "required": true, + "default": false } } ], + "required": true, "type": "record" } }, { "response_streaming": { + "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events.", "required": false, - "type": "string", - "default": "allow", "one_of": [ "allow", "deny", "always" ], - "description": "Whether to 'optionally allow', 'deny', or 'always' (force) the streaming of answers via server sent events." + "type": "string", + "default": "allow" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, "description": "max allowed body size allowed to be introspected", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 8192 } }, { "model_name_header": { - "default": true, "description": "Display the model name selected in the X-Kong-LLM-Model response header", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_field": "auth.allow_override", "then_match": { "eq": false - }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + } } }, { @@ -472,100 +469,100 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for llama2 provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.llama2_format" - ] + "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_err": "must set %s for mistral provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.mistral_format" - ] + "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_err": "must set %s for anthropic provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.anthropic_version" - ] + "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_instance" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_api_version" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_err": "must set %s for azure provider", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ] + "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_err": "must set %s for self-hosted providers/models", - "if_field": "model.provider", - "then_at_least_one_of": [ - "model.options.upstream_url" - ] + "then_err": "must set %s for self-hosted providers/models" } }, { @@ -578,8 +575,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-rate-limiting-advanced/3.8.x.json b/schemas/ai-rate-limiting-advanced/3.8.x.json index 9d8f08d..7564c29 100644 --- a/schemas/ai-rate-limiting-advanced/3.8.x.json +++ b/schemas/ai-rate-limiting-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -36,9 +27,8 @@ "fields": [ { "identifier": { + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, - "type": "string", - "default": "consumer", "one_of": [ "ip", "credential", @@ -48,41 +38,45 @@ "path", "consumer-group" ], - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + "type": "string", + "default": "consumer" } }, { "window_type": { "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", "default": "sliding", "one_of": [ "fixed", "sliding" - ], - "type": "string" + ] } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "llm_providers": { - "required": true, "description": "The provider config. Takes an array of `name`, `limit` and `window size` values.", + "type": "array", + "required": true, "elements": { "fields": [ { "window_size": { - "required": true, "description": "The window size to apply a limit (defined in seconds).", - "type": "number" + "type": "number", + "required": true } }, { "name": { + "description": "The LLM provider to which the rate limit applies.", + "type": "string", "required": true, "one_of": [ "openai", @@ -94,285 +88,183 @@ "bedrock", "gemini", "requestPrompt" - ], - "description": "The LLM provider to which the rate limit applies.", - "type": "string" + ] } }, { "limit": { - "required": true, "description": "The limit applies to the LLM provider within the defined window size. It used the query cost from the tokens to increment the counter.", - "type": "number" + "type": "number", + "required": true } } ], "type": "record" - }, - "type": "array" + } } }, { "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, - "type": "string", - "default": "local", "one_of": [ "cluster", "redis", "local" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + "type": "string", + "default": "local" } }, { "dictionary_name": { - "required": true, - "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string" + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "default": 0 } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string" + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -383,214 +275,353 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type and the request prompt provider.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "request_prompt_count_function": { - "required": false, "description": "If defined, it use custom function to count requests for the request prompt provider", - "type": "string" + "type": "string", + "required": false } }, { "error_code": { - "gt": 0, - "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number" + "type": "number", + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded for provider(s): ", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "default": "API rate limit exceeded for provider(s): " } }, { "error_hide_providers": { - "default": false, "description": "Optionally hide informative response that would otherwise provide information about the provider in the error message.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "tokens_count_strategy": { + "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`.", "required": true, - "type": "string", - "default": "total_tokens", "one_of": [ "total_tokens", "prompt_tokens", "completion_tokens", "cost" ], - "description": "What tokens to use for cost calculation. Available values are: `total_tokens` `prompt_tokens`, `completion_tokens` or `cost`." + "type": "string", + "default": "total_tokens" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ai-request-transformer/3.8.x.json b/schemas/ai-request-transformer/3.8.x.json index 029d7e4..e1f190a 100644 --- a/schemas/ai-request-transformer/3.8.x.json +++ b/schemas/ai-request-transformer/3.8.x.json @@ -1,36 +1,8 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": "llm/v1/chat" - }, - "then_field": "config.llm.route_type", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -47,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -64,72 +35,72 @@ "fields": [ { "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return.", "required": true, - "type": "string", - "description": "Use this prompt to tune the LLM system/assistant message for the incoming proxy request (from the client), and what you are expecting in return." + "type": "string" } }, { "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure.", "required": false, - "type": "string", - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the request phase. The first match will be set as the outgoing body. If the AI service's response doesn't match this pattern, it is marked as a failure." + "type": "string" } }, { "http_timeout": { - "required": true, - "default": 60000, "description": "Timeout in milliseconds for the AI upstream service.", - "type": "integer" + "type": "integer", + "required": true, + "default": 60000 } }, { "https_verify": { - "required": true, - "default": true, "description": "Verify the TLS certificate of the AI upstream service.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": true } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, "description": "max allowed body size allowed to be introspected", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 8192 } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -137,151 +108,152 @@ "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string" + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -292,172 +264,172 @@ "llama2", "gemini", "bedrock" - ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string" + ] } }, { "name": { - "required": false, "description": "Model name to execute.", - "type": "string" + "type": "string", + "required": false } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "max_tokens": { - "required": false, - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "type": "integer" + "type": "integer", + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "output_cost": { - "required": false, "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "temperature": { - "required": false, "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 ], - "type": "number" + "required": false } }, { "top_p": { - "required": false, "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 ], - "type": "number" + "required": false } }, { "top_k": { - "required": false, "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 ], - "type": "integer" + "required": false } }, { "anthropic_version": { - "required": false, "description": "Defines the schema/API version, if using Anthropic provider.", - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { - "required": false, "description": "Instance name for Azure OpenAI hosted models.", - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, "description": "Deployment ID for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "description": "If using llama2 provider, select the upstream message format.", - "type": "string" + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "description": "If using mistral provider, select the upstream message format.", - "type": "string" + ] } }, { "upstream_url": { - "required": false, "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, "type": "string" } }, { "upstream_path": { - "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "type": "string" + "type": "string", + "required": false } }, { "project_id": { - "required": false, "description": "If running Gemini on Vertex, specify the project ID.", - "type": "string" + "type": "string", + "required": false } }, { "location_id": { - "required": false, "description": "If running Gemini on Vertex, specify the location ID.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -466,74 +438,73 @@ "location_id" ] } - ], - "type": "record" + ] } }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string", - "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + "required": false } } ], + "required": false, "type": "record" } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, - "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_match": { "eq": false }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + "then_field": "auth.allow_override" } }, { @@ -551,99 +522,99 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.llama2_format" - ], - "if_field": "model.provider", "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_at_least_one_of": [ - "model.options.mistral_format" - ], - "if_field": "model.provider", "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], - "if_field": "model.provider", "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_instance" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_field": "model.provider", "then_err": "must set %s for self-hosted providers/models" } }, @@ -657,13 +628,42 @@ } } ], - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-response-transformer/3.8.x.json b/schemas/ai-response-transformer/3.8.x.json index 671f26c..e7158ea 100644 --- a/schemas/ai-response-transformer/3.8.x.json +++ b/schemas/ai-response-transformer/3.8.x.json @@ -1,36 +1,8 @@ { - "entity_checks": [ - { - "conditional": { - "then_match": { - "eq": "llm/v1/chat" - }, - "then_field": "config.llm.route_type", - "if_match": { - "not_one_of": [ - "llm/v1/chat" - ] - }, - "if_field": "config.llm.route_type", - "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins" - } - }, - { - "mutually_required": [ - "config.http_proxy_host", - "config.http_proxy_port" - ] - }, - { - "mutually_required": [ - "config.https_proxy_host", - "config.https_proxy_port" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -47,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -56,80 +27,80 @@ "fields": [ { "prompt": { + "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting.", "required": true, - "type": "string", - "description": "Use this prompt to tune the LLM system/assistant message for the returning proxy response (from the upstream), adn what response format you are expecting." + "type": "string" } }, { "transformation_extract_pattern": { + "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client.", "required": false, - "type": "string", - "description": "Defines the regular expression that must match to indicate a successful AI transformation at the response phase. The first match will be set as the returning body. If the AI service's response doesn't match this pattern, a failure is returned to the client." + "type": "string" } }, { "parse_llm_response_json_instructions": { - "required": true, - "default": false, + "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions.", "type": "boolean", - "description": "Set true to read specific response format from the LLM, and accordingly set the status code / body / headers that proxy back to the client. You need to engineer your LLM prompt to return the correct format, see plugin docs 'Overview' page for usage instructions." + "required": true, + "default": false } }, { "http_timeout": { - "required": true, - "default": 60000, + "description": "Timeout in milliseconds for the AI upstream service.", "type": "integer", - "description": "Timeout in milliseconds for the AI upstream service." + "required": true, + "default": 60000 } }, { "https_verify": { - "required": true, - "default": true, + "description": "Verify the TLS certificate of the AI upstream service.", "type": "boolean", - "description": "Verify the TLS certificate of the AI upstream service." + "required": true, + "default": true } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, "description": "max allowed body size allowed to be introspected", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 8192 } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { @@ -137,151 +108,152 @@ "fields": [ { "route_type": { + "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", + "type": "string", "required": true, "one_of": [ "llm/v1/chat", "llm/v1/completions", "preserve" - ], - "description": "The model's operation implementation, for this provider. Set to `preserve` to pass through without transformation.", - "type": "string" + ] } }, { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", + "type": "string", "required": true, "one_of": [ "openai", @@ -292,172 +264,172 @@ "llama2", "gemini", "bedrock" - ], - "description": "AI provider request format - Kong translates requests to and from the specified backend compatible formats.", - "type": "string" + ] } }, { "name": { - "required": false, "description": "Model name to execute.", - "type": "string" + "type": "string", + "required": false } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "max_tokens": { - "required": false, - "default": 256, "description": "Defines the max_tokens, if using chat or completion models.", - "type": "integer" + "type": "integer", + "required": false, + "default": 256 } }, { "input_cost": { - "required": false, "description": "Defines the cost per 1M tokens in your prompt.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "output_cost": { - "required": false, "description": "Defines the cost per 1M tokens in the output of the AI.", + "type": "number", "gt": 0, - "type": "number" + "required": false } }, { "temperature": { - "required": false, "description": "Defines the matching temperature, if using chat or completion models.", + "type": "number", "between": [ 0, 5 ], - "type": "number" + "required": false } }, { "top_p": { - "required": false, "description": "Defines the top-p probability mass, if supported.", + "type": "number", "between": [ 0, 1 ], - "type": "number" + "required": false } }, { "top_k": { - "required": false, "description": "Defines the top-k most likely tokens, if supported.", + "type": "integer", "between": [ 0, 500 ], - "type": "integer" + "required": false } }, { "anthropic_version": { - "required": false, "description": "Defines the schema/API version, if using Anthropic provider.", - "type": "string" + "type": "string", + "required": false } }, { "azure_instance": { - "required": false, "description": "Instance name for Azure OpenAI hosted models.", - "type": "string" + "type": "string", + "required": false } }, { "azure_api_version": { - "required": false, - "default": "2023-05-15", "description": "'api-version' for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false, + "default": "2023-05-15" } }, { "azure_deployment_id": { - "required": false, "description": "Deployment ID for Azure OpenAI instances.", - "type": "string" + "type": "string", + "required": false } }, { "llama2_format": { + "description": "If using llama2 provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "raw", "openai", "ollama" - ], - "description": "If using llama2 provider, select the upstream message format.", - "type": "string" + ] } }, { "mistral_format": { + "description": "If using mistral provider, select the upstream message format.", + "type": "string", "required": false, "one_of": [ "openai", "ollama" - ], - "description": "If using mistral provider, select the upstream message format.", - "type": "string" + ] } }, { "upstream_url": { - "required": false, "description": "Manually specify or override the full URL to the AI operation endpoints, when calling (self-)hosted models, or for running via a private endpoint.", + "required": false, "type": "string" } }, { "upstream_path": { - "required": false, + "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type.", "type": "string", - "description": "Manually specify or override the AI operation path, used when e.g. using the 'preserve' route_type." + "required": false } }, { "gemini": { - "required": false, "fields": [ { "api_endpoint": { - "required": false, "description": "If running Gemini on Vertex, specify the regional API endpoint (hostname only).", - "type": "string" + "type": "string", + "required": false } }, { "project_id": { - "required": false, "description": "If running Gemini on Vertex, specify the project ID.", - "type": "string" + "type": "string", + "required": false } }, { "location_id": { - "required": false, "description": "If running Gemini on Vertex, specify the location ID.", - "type": "string" + "type": "string", + "required": false } } ], + "required": false, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -466,74 +438,73 @@ "location_id" ] } - ], - "type": "record" + ] } }, { "bedrock": { - "required": false, "fields": [ { "aws_region": { - "required": false, + "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option.", "type": "string", - "description": "If using AWS providers (Bedrock) you can override the `AWS_REGION` environment variable by setting this option." + "required": false } } ], + "required": false, "type": "record" } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } }, { "logging": { - "required": true, "fields": [ { "log_statistics": { - "required": true, - "default": false, "description": "If enabled and supported by the driver, will add model usage and token metrics into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "log_payloads": { - "required": true, - "default": false, "description": "If enabled, will log the request and response body into the Kong log plugin(s) output.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "if_field": "model.provider", "if_match": { "one_of": [ "bedrock", "gemini" ] }, - "then_field": "auth.allow_override", + "if_field": "model.provider", + "then_err": "bedrock and gemini only support auth.allow_override = false", "then_match": { "eq": false }, - "then_err": "bedrock and gemini only support auth.allow_override = false" + "then_field": "auth.allow_override" } }, { @@ -551,99 +522,99 @@ }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.llama2_format" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.llama2_format" - ], - "if_field": "model.provider", "then_err": "must set %s for llama2 provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.mistral_format" + ], "if_match": { "one_of": [ "mistral" ] }, - "then_at_least_one_of": [ - "model.options.mistral_format" - ], - "if_field": "model.provider", "then_err": "must set %s for mistral provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.anthropic_version" + ], "if_match": { "one_of": [ "anthropic" ] }, - "then_at_least_one_of": [ - "model.options.anthropic_version" - ], - "if_field": "model.provider", "then_err": "must set %s for anthropic provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_instance" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_instance" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_api_version" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_api_version" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.azure_deployment_id" + ], "if_match": { "one_of": [ "azure" ] }, - "then_at_least_one_of": [ - "model.options.azure_deployment_id" - ], - "if_field": "model.provider", "then_err": "must set %s for azure provider" } }, { "conditional_at_least_one_of": { + "if_field": "model.provider", + "then_at_least_one_of": [ + "model.options.upstream_url" + ], "if_match": { "one_of": [ "llama2" ] }, - "then_at_least_one_of": [ - "model.options.upstream_url" - ], - "if_field": "model.provider", "then_err": "must set %s for self-hosted providers/models" } }, @@ -657,13 +628,42 @@ } } ], - "type": "record" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "conditional": { + "then_field": "config.llm.route_type", + "if_field": "config.llm.route_type", + "then_err": "'config.llm.route_type' must be 'llm/v1/chat' for AI transformer plugins", + "if_match": { + "not_one_of": [ + "llm/v1/chat" + ] + }, + "then_match": { + "eq": "llm/v1/chat" + } + } + }, + { + "mutually_required": [ + "config.http_proxy_host", + "config.http_proxy_port" + ] + }, + { + "mutually_required": [ + "config.https_proxy_host", + "config.https_proxy_port" + ] + } ] } \ No newline at end of file diff --git a/schemas/ai-semantic-cache/3.8.x.json b/schemas/ai-semantic-cache/3.8.x.json index e782440..92f99f8 100644 --- a/schemas/ai-semantic-cache/3.8.x.json +++ b/schemas/ai-semantic-cache/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,491 +35,391 @@ "fields": [ { "message_countback": { + "description": "Number of messages in the chat history to Vectorize/Cache", + "type": "number", "between": [ 1, 1000 ], - "default": 1, - "type": "number", - "description": "Number of messages in the chat history to Vectorize/Cache" + "default": 1 } }, { "ignore_system_prompts": { - "default": false, + "description": "Ignore and discard any system prompts when Vectorizing the request", "type": "boolean", - "description": "Ignore and discard any system prompts when Vectorizing the request" + "default": false } }, { "ignore_assistant_prompts": { - "default": false, + "description": "Ignore and discard any assistant prompts when Vectorizing the request", "type": "boolean", - "description": "Ignore and discard any assistant prompts when Vectorizing the request" + "default": false } }, { "stop_on_failure": { + "description": "Halt the LLM request process in case of a caching system failure", "required": true, - "default": false, "type": "boolean", - "description": "Halt the LLM request process in case of a caching system failure" + "default": false } }, { "cache_ttl": { - "gt": 0, - "default": 300, + "description": "TTL in seconds of cache entities. Must be a value greater than 0.", "type": "integer", - "description": "TTL in seconds of cache entities. Must be a value greater than 0." + "gt": 0, + "default": 300 } }, { "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "default": false } }, { "exact_caching": { + "description": "When enabled, a first check for exact query will be done. It will impact DB size", "required": true, - "default": false, "type": "boolean", - "description": "When enabled, a first check for exact query will be done. It will impact DB size" + "default": false } }, { "embeddings": { - "required": true, "fields": [ { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "required": true, "one_of": [ "openai", "mistral" - ], - "description": "AI provider format to use for embeddings API", - "type": "string" + ] } }, { "name": { + "description": "Model name to execute.", + "type": "string", "required": true, "one_of": [ "text-embedding-3-large", "text-embedding-3-small", "mistral-embed" - ], - "description": "Model name to execute.", - "type": "string" + ] } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "upstream_url": { - "required": false, "description": "upstream url for the embeddings", - "type": "string" + "type": "string", + "required": false } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } } ], + "required": true, "type": "record" } }, { "vectordb": { - "required": true, "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "required": true, "one_of": [ "redis" - ], - "description": "which vector database driver to use", - "type": "string" + ] } }, { "dimensions": { - "required": true, "description": "the desired dimensionality for the vectors", - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { - "required": true, "description": "the default similarity threshold for accepting semantic search results (float)", - "type": "number" + "type": "number", + "required": true } }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "required": true, "one_of": [ "cosine", "euclidean" - ], - "description": "the distance metric to use for vector searches", - "type": "string" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -533,169 +430,303 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } ], + "required": true, "type": "record" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ai-semantic-prompt-guard/3.8.x.json b/schemas/ai-semantic-prompt-guard/3.8.x.json index 644c2f6..fe2daee 100644 --- a/schemas/ai-semantic-prompt-guard/3.8.x.json +++ b/schemas/ai-semantic-prompt-guard/3.8.x.json @@ -1,15 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.rules.allow_prompts", - "config.rules.deny_prompts" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -26,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -35,434 +27,334 @@ "fields": [ { "embeddings": { - "required": true, "fields": [ { "auth": { - "required": false, "fields": [ { "header_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via Authorization or API key header, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "header_value": { + "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full auth header value for 'header_name', for example 'Bearer key' or just 'key'." + "referenceable": true } }, { "param_name": { - "required": false, - "referenceable": true, "description": "If AI model requires authentication via query parameter, specify its name here.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "param_value": { + "description": "Specify the full parameter value for 'param_name'.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Specify the full parameter value for 'param_name'." + "referenceable": true } }, { "param_location": { + "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", + "type": "string", "required": false, "one_of": [ "query", "body" - ], - "description": "Specify whether the 'param_name' and 'param_value' options go in a query string, or the POST form/JSON body.", - "type": "string" + ] } }, { "azure_use_managed_identity": { - "required": false, - "default": false, "description": "Set true to use the Azure Cloud Managed Identity (or user-assigned identity) to authenticate with Azure-provider models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "azure_client_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "azure_client_secret": { + "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the client secret." + "referenceable": true } }, { "azure_tenant_id": { - "required": false, - "referenceable": true, "description": "If azure_use_managed_identity is set to true, and you need to use a different user-assigned identity for this LLM instance, set the tenant ID.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "gcp_use_service_account": { - "required": false, - "default": false, "description": "Use service account auth for GCP-based providers and models.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "gcp_service_account_json": { + "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this field to the full JSON of the GCP service account to authenticate, if required. If null (and gcp_use_service_account is true), Kong will attempt to read from environment variable `GCP_SERVICE_ACCOUNT`." + "referenceable": true } }, { "aws_access_key_id": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_ACCESS_KEY_ID environment variable for this plugin instance." + "referenceable": true } }, { "aws_secret_access_key": { + "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Set this if you are using an AWS provider (Bedrock) and you are authenticating using static IAM User credentials. Setting this will override the AWS_SECRET_ACCESS_KEY environment variable for this plugin instance." + "referenceable": true } }, { "allow_override": { - "required": false, - "default": false, "description": "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } } ], + "required": false, "type": "record" } }, { "model": { - "required": true, "fields": [ { "provider": { + "description": "AI provider format to use for embeddings API", + "type": "string", "required": true, "one_of": [ "openai", "mistral" - ], - "description": "AI provider format to use for embeddings API", - "type": "string" + ] } }, { "name": { + "description": "Model name to execute.", + "type": "string", "required": true, "one_of": [ "text-embedding-3-large", "text-embedding-3-small", "mistral-embed" - ], - "description": "Model name to execute.", - "type": "string" + ] } }, { "options": { - "required": false, + "description": "Key/value settings for the model", "type": "record", + "required": false, "fields": [ { "upstream_url": { - "required": false, "description": "upstream url for the embeddings", - "type": "string" + "type": "string", + "required": false } } - ], - "description": "Key/value settings for the model" + ] } } ], + "required": true, "type": "record" } } ], + "required": true, "type": "record" } }, { "vectordb": { - "required": true, "fields": [ { "strategy": { + "description": "which vector database driver to use", + "type": "string", "required": true, "one_of": [ "redis" - ], - "description": "which vector database driver to use", - "type": "string" + ] } }, { "dimensions": { - "required": true, "description": "the desired dimensionality for the vectors", - "type": "integer" + "type": "integer", + "required": true } }, { "threshold": { - "required": true, "description": "the default similarity threshold for accepting semantic search results (float)", - "type": "number" + "type": "number", + "required": true } }, { "distance_metric": { + "description": "the distance metric to use for vector searches", + "type": "string", "required": true, "one_of": [ "cosine", "euclidean" - ], - "description": "the distance metric to use for vector searches", - "type": "string" + ] } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -473,243 +365,382 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } ], + "required": true, "type": "record" } }, { "search": { - "required": false, "fields": [ { "threshold": { - "required": false, - "default": 0.5, + "description": "Threshold for the similarity score to be considered a match.", "type": "number", - "description": "Threshold for the similarity score to be considered a match." + "required": false, + "default": 0.5 } } ], + "required": false, "type": "record" } }, { "rules": { - "required": true, "fields": [ { "match_all_conversation_history": { - "required": false, - "default": false, + "description": "If false, will ignore all previous chat prompts from the conversation history.", "type": "boolean", - "description": "If false, will ignore all previous chat prompts from the conversation history." + "required": false, + "default": false } }, { "allow_prompts": { + "description": "List of prompts to allow.", "required": false, + "len_max": 100, "elements": { - "len_max": 500, "type": "string", + "len_max": 500, "len_min": 1 }, - "type": "array", - "len_max": 100, - "description": "List of prompts to allow." + "type": "array" } }, { "deny_prompts": { + "description": "List of prompts to deny.", "required": false, + "len_max": 100, "elements": { - "len_max": 500, "type": "string", + "len_max": 500, "len_min": 1 }, - "type": "array", - "len_max": 100, - "description": "List of prompts to deny." + "type": "array" } }, { "max_request_body_size": { - "gt": 0, - "default": 8192, + "description": "max allowed body size allowed to be introspected", "type": "integer", - "description": "max allowed body size allowed to be introspected" + "gt": 0, + "default": 8192 } }, { "match_all_roles": { - "required": true, - "default": false, "description": "If true, will match all roles in addition to 'user' role in conversation history.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "required": true, "type": "record" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.rules.allow_prompts", + "config.rules.deny_prompts" + ] + } ] } \ No newline at end of file diff --git a/schemas/app-dynamics/3.8.x.json b/schemas/app-dynamics/3.8.x.json index 8a2ed0f..6323363 100644 --- a/schemas/app-dynamics/3.8.x.json +++ b/schemas/app-dynamics/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,9 +35,12 @@ "fields": [ ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/aws-lambda/3.8.x.json b/schemas/aws-lambda/3.8.x.json index 8541117..94f5742 100644 --- a/schemas/aws-lambda/3.8.x.json +++ b/schemas/aws-lambda/3.8.x.json @@ -1,22 +1,8 @@ { - "entity_checks": [ - { - "mutually_required": [ - "config.aws_key", - "config.aws_secret" - ] - }, - { - "custom_entity_check": { - "field_sources": [ - "config.proxy_url" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -33,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -50,223 +35,238 @@ "fields": [ { "timeout": { + "description": "An optional timeout in milliseconds when invoking the function.", "required": true, - "default": 60000, "type": "number", - "description": "An optional timeout in milliseconds when invoking the function." + "default": 60000 } }, { "keepalive": { + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "required": true, - "default": 60000, "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "default": 60000 } }, { "aws_key": { "description": "The AWS key credential to be used when invoking the function.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "aws_secret": { "description": "The AWS secret credential to be used when invoking the function. ", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "aws_assume_role_arn": { + "description": "The target AWS IAM role ARN used to invoke the Lambda function.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "The target AWS IAM role ARN used to invoke the Lambda function." + "referenceable": true } }, { "aws_role_session_name": { - "default": "kong", + "description": "The identifier of the assumed role session.", "type": "string", - "description": "The identifier of the assumed role session." + "default": "kong" } }, { "aws_sts_endpoint_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "aws_region": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "function_name": { + "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported.", "required": false, - "type": "string", - "description": "The AWS Lambda function to invoke. Both function name and function ARN (including partial) are supported." + "type": "string" } }, { "qualifier": { - "type": "string", - "description": "The qualifier to use when invoking the function." + "description": "The qualifier to use when invoking the function.", + "type": "string" } }, { "invocation_type": { + "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun.", "required": true, - "type": "string", - "default": "RequestResponse", "one_of": [ "RequestResponse", "Event", "DryRun" ], - "description": "The InvocationType to use when invoking the function. Available types are RequestResponse, Event, DryRun." + "type": "string", + "default": "RequestResponse" } }, { "log_type": { + "description": "The LogType to use when invoking the function. By default, None and Tail are supported.", "required": true, - "type": "string", - "default": "Tail", "one_of": [ "Tail", "None" ], - "description": "The LogType to use when invoking the function. By default, None and Tail are supported." + "type": "string", + "default": "Tail" } }, { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 443, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 443 } }, { "disable_https": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { "unhandled_status": { + "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", + "type": "integer", "between": [ 100, 999 - ], - "description": "The response status code to use (instead of the default 200, 202, or 204) in the case of an Unhandled Function Error.", - "type": "integer" + ] } }, { "forward_request_method": { - "default": false, + "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request.", "type": "boolean", - "description": "An optional value that defines whether the original HTTP request method verb is sent in the request_method field of the JSON-encoded request." + "default": false } }, { "forward_request_uri": { - "default": false, + "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request.", "type": "boolean", - "description": "An optional value that defines whether the original HTTP request URI is sent in the request_uri field of the JSON-encoded request." + "default": false } }, { "forward_request_headers": { - "default": false, + "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request.", "type": "boolean", - "description": "An optional value that defines whether the original HTTP request headers are sent as a map in the request_headers field of the JSON-encoded request." + "default": false } }, { "forward_request_body": { - "default": false, + "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. ", "type": "boolean", - "description": "An optional value that defines whether the request body is sent in the request_body field of the JSON-encoded request. If the body arguments can be parsed, they are sent in the separate request_body_args field of the request. " + "default": false } }, { "is_proxy_integration": { - "default": false, + "description": "An optional value that defines whether the response format to receive from the Lambda to this format.", "type": "boolean", - "description": "An optional value that defines whether the response format to receive from the Lambda to this format." + "default": false } }, { "awsgateway_compatible": { - "default": false, + "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway.", "type": "boolean", - "description": "An optional value that defines whether the plugin should wrap requests into the Amazon API gateway." + "default": false } }, { "proxy_url": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "skip_large_bodies": { - "default": true, + "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk", "type": "boolean", - "description": "An optional value that defines whether Kong should send large bodies that are buffered to disk" + "default": true } }, { "base64_encode_body": { - "default": true, + "description": "An optional value that Base64-encodes the request body.", "type": "boolean", - "description": "An optional value that Base64-encodes the request body." + "default": true } }, { "aws_imds_protocol_version": { + "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`.", "required": true, - "type": "string", - "default": "v1", "one_of": [ "v1", "v2" ], - "description": "Identifier to select the IMDS protocol version to use: `v1` or `v2`." + "type": "string", + "default": "v1" } }, { "empty_arrays_mode": { + "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response", "required": true, - "type": "string", - "default": "legacy", "one_of": [ "legacy", "correct" ], - "description": "An optional value that defines whether Kong should send empty arrays (returned by Lambda function) as `[]` arrays or `{}` objects in JSON responses. The value `legacy` means Kong will send empty arrays as `{}` objects in response" + "type": "string", + "default": "legacy" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "mutually_required": [ + "config.aws_key", + "config.aws_secret" + ] + }, + { + "custom_entity_check": { + "field_sources": [ + "config.proxy_url" + ] } } ] diff --git a/schemas/azure-functions/3.8.x.json b/schemas/azure-functions/3.8.x.json index a82affc..5299c53 100644 --- a/schemas/azure-functions/3.8.x.json +++ b/schemas/azure-functions/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,81 +42,84 @@ "fields": [ { "timeout": { - "default": 600000, "description": "Timeout in milliseconds before closing a connection to the Azure Functions server.", - "type": "number" + "type": "number", + "default": 600000 } }, { "keepalive": { - "default": 60000, "description": "Time in milliseconds during which an idle connection to the Azure Functions server lives before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "https": { - "default": true, "description": "Use of HTTPS to connect with the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "https_verify": { - "default": false, "description": "Set to `true` to authenticate the Azure Functions server.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "apikey": { "description": "The apikey to access the Azure resources. If provided, it is injected as the `x-functions-key` header.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "clientid": { "description": "The `clientid` to access the Azure resources. If provided, it is injected as the `x-functions-clientid` header.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "appname": { - "required": true, "description": "The Azure app name.", - "type": "string" + "type": "string", + "required": true } }, { "hostdomain": { - "required": true, - "default": "azurewebsites.net", "description": "The domain where the function resides.", - "type": "string" + "type": "string", + "required": true, + "default": "azurewebsites.net" } }, { "routeprefix": { - "default": "api", "description": "Route prefix to use.", - "type": "string" + "type": "string", + "default": "api" } }, { "functionname": { - "required": true, "description": "Name of the Azure function to invoke.", - "type": "string" + "type": "string", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/basic-auth/3.8.x.json b/schemas/basic-auth/3.8.x.json index 007ea43..fb63474 100644 --- a/schemas/basic-auth/3.8.x.json +++ b/schemas/basic-auth/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,24 +52,27 @@ }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the `Authorization` header) before proxying it." + "default": false } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": true, - "default": "service", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "default": "service" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/bot-detection/3.8.x.json b/schemas/bot-detection/3.8.x.json index 7eb652d..3f7aa01 100644 --- a/schemas/bot-detection/3.8.x.json +++ b/schemas/bot-detection/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,34 +43,37 @@ "fields": [ { "allow": { + "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header.", "type": "array", - "default": [ - - ], "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be allowed. The regular expressions will be checked against the `User-Agent` header." + "default": [ + + ] } }, { "deny": { + "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header.", "type": "array", - "default": [ - - ], "elements": { "type": "string", "is_regex": true }, - "description": "An array of regular expressions that should be denied. The regular expressions will be checked against the `User-Agent` header." + "default": [ + + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/canary/3.8.x.json b/schemas/canary/3.8.x.json index 22a12ee..11ed423 100644 --- a/schemas/canary/3.8.x.json +++ b/schemas/canary/3.8.x.json @@ -1,56 +1,24 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.upstream_uri", - "config.upstream_host", - "config.upstream_port" - ] - }, - { - "conditional": { - "then_field": "config.hash_header", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.hash" - } - }, - { - "conditional": { - "then_field": "config.upstream_host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "config.upstream_fallback" - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -67,23 +35,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "required": true, "fields": [ { "start": { - "type": "number", - "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`." + "description": "Future time in seconds since epoch, when the canary release will start. Ignored when `percentage` is set, or when using `allow` or `deny` in `hash`.", + "type": "number" } }, { "hash": { "description": "Hash algorithm to be used for canary release.\n\n* `consumer`: The hash will be based on the consumer.\n* `ip`: The hash will be based on the client IP address.\n* `none`: No hash will be applied.\n* `allow`: Allows the specified groups to access the canary release.\n* `deny`: Denies the specified groups from accessing the canary release.\n* `header`: The hash will be based on the specified header value.", + "type": "string", "default": "consumer", "one_of": [ "consumer", @@ -92,98 +59,131 @@ "allow", "deny", "header" - ], - "type": "string" + ] } }, { "hash_header": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "duration": { - "gt": 0, - "default": 3600, "description": "The duration of the canary release in seconds.", - "type": "number" + "type": "number", + "gt": 0, + "default": 3600 } }, { "steps": { - "gt": 1, - "default": 1000, "description": "The number of steps for the canary release.", - "type": "number" + "type": "number", + "gt": 1, + "default": 1000 } }, { "percentage": { + "description": "The percentage of traffic to be routed to the canary release.", + "type": "number", "between": [ 0, 100 - ], - "type": "number", - "description": "The percentage of traffic to be routed to the canary release." + ] } }, { "upstream_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "upstream_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "upstream_uri": { + "description": "The URI of the upstream server to be used for the canary release.", "len_min": 1, - "type": "string", - "description": "The URI of the upstream server to be used for the canary release." + "type": "string" } }, { "upstream_fallback": { - "required": true, - "default": false, "description": "Specifies whether to fallback to the upstream server if the canary release fails.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "groups": { + "description": "The groups allowed to access the canary release.", "type": "array", "elements": { "type": "string" - }, - "description": "The groups allowed to access the canary release." + } } }, { "canary_by_header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ], + "required": true, + "type": "record", "shorthand_fields": [ { "hash": { - "type": "string", - "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead." + "description": "Hash algorithm to be used for canary release. `whitelist` is deprecated. Use `allow` instead `blacklist` is deprecated. Use `deny` instead.", + "type": "string" } } - ], - "type": "record" + ] + } + } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.upstream_uri", + "config.upstream_host", + "config.upstream_port" + ] + }, + { + "conditional": { + "if_field": "config.hash", + "if_match": { + "eq": "header" + }, + "then_field": "config.hash_header", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.upstream_fallback", + "if_match": { + "eq": true + }, + "then_field": "config.upstream_host", + "then_match": { + "required": true + } } } ] diff --git a/schemas/confluent/3.8.x.json b/schemas/confluent/3.8.x.json index 280db66..7a95388 100644 --- a/schemas/confluent/3.8.x.json +++ b/schemas/confluent/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,19 +36,20 @@ { "bootstrap_servers": { "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", + "type": "set", "elements": { "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -61,29 +59,28 @@ } ], "type": "record" - }, - "type": "set" + } } }, { "topic": { - "required": true, + "description": "The Kafka topic to publish to.", "type": "string", - "description": "The Kafka topic to publish to." + "required": true } }, { "timeout": { - "default": 10000, + "description": "Socket timeout in milliseconds.", "type": "integer", - "description": "Socket timeout in milliseconds." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "Keepalive timeout in milliseconds.", "type": "integer", - "description": "Keepalive timeout in milliseconds." + "default": 60000 } }, { @@ -94,146 +91,146 @@ }, { "cluster_api_key": { + "description": "Username/Apikey for SASL authentication.", "required": true, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Username/Apikey for SASL authentication." + "referenceable": true, + "encrypted": true } }, { "cluster_api_secret": { + "description": "Password/ApiSecret for SASL authentication.", "required": true, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Password/ApiSecret for SASL authentication." + "referenceable": true, + "encrypted": true } }, { "confluent_cloud_api_key": { + "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Apikey for authentication with Confluent Cloud. This allows for management tasks such as creating topics, ACLs, etc." + "referenceable": true, + "encrypted": true } }, { "confluent_cloud_api_secret": { + "description": "The corresponding secret for the Confluent Cloud API key.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The corresponding secret for the Confluent Cloud API key." + "referenceable": true, + "encrypted": true } }, { "forward_method": { - "default": false, + "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": false } }, { "forward_uri": { - "default": false, + "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": false } }, { "forward_headers": { - "default": false, + "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": false } }, { "forward_body": { - "default": true, + "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", "type": "boolean", - "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`." + "default": true } }, { "cluster_name": { - "required": false, - "type": "string", "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", - "auto": true + "type": "string", + "auto": true, + "required": false } }, { "producer_request_acks": { + "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", "type": "integer", "default": 1, "one_of": [ -1, 0, 1 - ], - "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set)." + ] } }, { "producer_request_timeout": { - "default": 2000, + "description": "Time to wait for a Produce response in milliseconds.", "type": "integer", - "description": "Time to wait for a Produce response in milliseconds." + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, + "description": "Maximum number of messages to include into a single producer request.", "type": "integer", - "description": "Maximum number of messages to include into a single producer request." + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, + "description": "Maximum size of a Produce request in bytes.", "type": "integer", - "description": "Maximum size of a Produce request in bytes." + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, + "description": "Maximum number of retry attempts per single Produce request.", "type": "integer", - "description": "Maximum number of retry attempts per single Produce request." + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, + "description": "Backoff interval between retry attempts in milliseconds.", "type": "integer", - "description": "Backoff interval between retry attempts in milliseconds." + "default": 100 } }, { "producer_async": { - "default": true, + "description": "Flag to enable asynchronous mode.", "type": "boolean", - "description": "Flag to enable asynchronous mode." + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, + "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", "type": "integer", - "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode." + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, + "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", "type": "integer", - "description": "Maximum number of messages that can be buffered in memory in asynchronous mode." + "default": 50000 } } ], - "required": true, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -246,8 +243,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/correlation-id/3.8.x.json b/schemas/correlation-id/3.8.x.json index 47df16c..47945b3 100644 --- a/schemas/correlation-id/3.8.x.json +++ b/schemas/correlation-id/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,36 +35,39 @@ "fields": [ { "header_name": { - "default": "Kong-Request-ID", + "description": "The HTTP header name to use for the correlation ID.", "type": "string", - "description": "The HTTP header name to use for the correlation ID." + "default": "Kong-Request-ID" } }, { "generator": { + "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators).", "required": true, - "type": "string", - "default": "uuid#counter", "one_of": [ "uuid", "uuid#counter", "tracker" ], - "description": "The generator to use for the correlation ID. Accepted values are `uuid`, `uuid#counter`, and `tracker`. See [Generators](#generators)." + "type": "string", + "default": "uuid#counter" } }, { "echo_downstream": { + "description": "Whether to echo the header back to downstream (the client).", "required": true, - "default": false, "type": "boolean", - "description": "Whether to echo the header back to downstream (the client)." + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/cors/3.8.x.json b/schemas/cors/3.8.x.json index b0a4bf7..85e723f 100644 --- a/schemas/cors/3.8.x.json +++ b/schemas/cors/3.8.x.json @@ -1,29 +1,27 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { + "len_min": 1, + "type": "string", "required": true, "one_of": [ "grpc", "grpcs", "http", "https" - ], - "type": "string", - "len_min": 1 + ] }, "type": "set", "default": [ @@ -31,15 +29,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,33 +46,34 @@ { "origins": { "description": "List of allowed domains for the `Access-Control-Allow-Origin` header. If you want to allow all origins, add `*` as a single value to this configuration field. The accepted values can either be flat strings or PCRE regexes.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { "description": "Value for the `Access-Control-Allow-Headers` header.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "exposed_headers": { "description": "Value for the `Access-Control-Expose-Headers` header. If not specified, no custom headers are exposed.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "methods": { "description": "'Value for the `Access-Control-Allow-Methods` header. Available options include `GET`, `HEAD`, `PUT`, `PATCH`, `POST`, `DELETE`, `OPTIONS`, `TRACE`, `CONNECT`. By default, all options are allowed.'", + "type": "array", "default": [ "GET", "HEAD", @@ -100,44 +98,46 @@ "TRACE", "CONNECT" ] - }, - "type": "array" + } } }, { "max_age": { - "type": "number", - "description": "Indicates how long the results of the preflight request can be cached, in `seconds`." + "description": "Indicates how long the results of the preflight request can be cached, in `seconds`.", + "type": "number" } }, { "credentials": { - "required": true, - "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Credentials` header should be sent with `true` as the value.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "private_network": { - "required": true, - "default": false, "description": "Flag to determine whether the `Access-Control-Allow-Private-Network` header should be sent with `true` as the value.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "preflight_continue": { - "required": true, - "default": false, "description": "A boolean value that instructs the plugin to proxy the `OPTIONS` preflight request to the Upstream service.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/datadog/3.8.x.json b/schemas/datadog/3.8.x.json index d464b6c..9c8a1c3 100644 --- a/schemas/datadog/3.8.x.json +++ b/schemas/datadog/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,81 +43,81 @@ { "host": { "description": "A string representing a host name, such as example.com.", + "type": "string", "referenceable": true, - "default": "localhost", - "type": "string" + "default": "localhost" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to be attached as a prefix to a metric's name.", - "type": "string" + "type": "string", + "default": "kong" } }, { "service_name_tag": { - "default": "name", "description": "String to be attached as the name of the service.", - "type": "string" + "type": "string", + "default": "name" } }, { "status_tag": { - "default": "status", "description": "String to be attached as the tag of the HTTP status.", - "type": "string" + "type": "string", + "default": "status" } }, { "consumer_tag": { - "default": "consumer", "description": "String to be attached as tag of the consumer.", - "type": "string" + "type": "string", + "default": "consumer" } }, { "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 10, "message": "datadog: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0", - "old_default": 10 - }, - "type": "integer", - "description": "Number of times to retry when sending data to the upstream server." + "removal_in_version": "4.0" + } } }, { "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 1, "message": "datadog: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 1 - }, - "type": "integer", - "description": "Maximum number of log entries to be sent on each message to the upstream server." + "removal_in_version": "4.0" + } } }, { "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", "deprecation": { + "old_default": 2, "message": "datadog: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 2 - }, - "type": "number", - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records." + "removal_in_version": "4.0" + } } }, { @@ -128,96 +125,99 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "metrics": { + "description": "List of metrics to be logged.", "required": true, "elements": { "fields": [ { "name": { + "description": "Datadog metric’s name", "required": true, + "type": "string", "one_of": [ "kong_latency", "latency", @@ -225,14 +225,14 @@ "request_size", "response_size", "upstream_latency" - ], - "description": "Datadog metric’s name", - "type": "string" + ] } }, { "stat_type": { + "description": "Determines what sort of event the metric represents", "required": true, + "type": "string", "one_of": [ "counter", "gauge", @@ -241,121 +241,121 @@ "set", "timer", "distribution" - ], - "description": "Determines what sort of event the metric represents", - "type": "string" + ] } }, { "tags": { + "description": "List of tags", "type": "array", "elements": { - "match": "^.*[^:]$", - "type": "string" - }, - "description": "List of tags" + "type": "string", + "match": "^.*[^:]$" + } } }, { "sample_rate": { + "description": "Sampling rate", + "type": "number", "between": [ 0, 1 - ], - "type": "number", - "description": "Sampling rate" + ] } }, { "consumer_identifier": { + "description": "Authenticated user detail", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail" + ] } } ], + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "sample_rate", + "if_field": "stat_type", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", "then_match": { "required": true - }, - "if_field": "stat_type" + } } } - ], - "type": "record" + ] }, "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", "name": "request_count", "consumer_identifier": "custom_id", + "sample_rate": 1, "tags": [ "app:kong" ] }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "latency" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "request_size" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "response_size" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "upstream_latency" }, { - "consumer_identifier": "custom_id", "stat_type": "timer", "tags": [ "app:kong" ], + "consumer_identifier": "custom_id", "name": "kong_latency" } - ], - "description": "List of metrics to be logged." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/degraphql/3.8.x.json b/schemas/degraphql/3.8.x.json index 8748c73..80461c1 100644 --- a/schemas/degraphql/3.8.x.json +++ b/schemas/degraphql/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,23 +43,26 @@ "fields": [ { "graphql_server_path": { - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", + "required": true, "starts_with": "/", - "default": "/graphql", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/graphql" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/exit-transformer/3.8.x.json b/schemas/exit-transformer/3.8.x.json index 2d52300..9ba8d46 100644 --- a/schemas/exit-transformer/3.8.x.json +++ b/schemas/exit-transformer/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,30 +36,33 @@ { "functions": { "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "handle_unknown": { - "default": false, "description": "Determines whether to handle unknown status codes by transforming their responses.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "handle_unexpected": { - "default": false, "description": "Determines whether to handle unexpected errors by transforming their responses.", - "type": "boolean" + "type": "boolean", + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/file-log/3.8.x.json b/schemas/file-log/3.8.x.json index 0bd1604..8c59160 100644 --- a/schemas/file-log/3.8.x.json +++ b/schemas/file-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,19 +42,19 @@ "fields": [ { "path": { - "required": true, + "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet.", + "err": "not a valid filename", "match": "^[^*&%%\\`]+$", "type": "string", - "err": "not a valid filename", - "description": "The file path of the output log file. The plugin creates the log file if it doesn't exist yet." + "required": true } }, { "reopen": { + "description": "Determines whether the log file is closed and reopened on every request.", "required": true, - "default": false, "type": "boolean", - "description": "Determines whether the log file is closed and reopened on every request." + "default": false } }, { @@ -66,18 +63,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/forward-proxy/3.8.x.json b/schemas/forward-proxy/3.8.x.json index a606ccd..236f0a9 100644 --- a/schemas/forward-proxy/3.8.x.json +++ b/schemas/forward-proxy/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,130 +19,128 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "http_proxy_host", - "https_proxy_host" - ] - }, - { - "at_least_one_of": [ - "http_proxy_port", - "https_proxy_port" - ] - }, - { - "mutually_required": [ - "http_proxy_host", - "http_proxy_port" - ] - }, - { - "mutually_required": [ - "https_proxy_host", - "https_proxy_port" - ] - } - ], - "type": "record", "fields": [ { "x_headers": { + "description": "Determines how to handle headers when forwarding the request.", "required": true, - "type": "string", - "default": "append", "one_of": [ "append", "transparent", "delete" ], - "description": "Determines how to handle headers when forwarding the request." + "type": "string", + "default": "append" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "proxy_scheme": { + "description": "The proxy scheme to use when connecting. Only `http` is supported.", "required": true, - "type": "string", - "default": "http", "one_of": [ "http" ], - "description": "The proxy scheme to use when connecting. Only `http` is supported." + "type": "string", + "default": "http" } }, { "auth_username": { - "required": false, - "referenceable": true, "description": "The username to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "auth_password": { - "required": false, - "referenceable": true, "description": "The password to authenticate with, if the forward proxy is protected\nby basic authentication.", - "type": "string" + "type": "string", + "required": false, + "referenceable": true } }, { "https_verify": { - "required": true, - "default": false, "description": "Whether the server certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "http_proxy_host", + "https_proxy_host" + ] + }, + { + "at_least_one_of": [ + "http_proxy_port", + "https_proxy_port" + ] + }, + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record", "shorthand_fields": [ { "proxy_host": { @@ -164,8 +160,12 @@ "type": "integer" } } - ] + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-proxy-cache-advanced/3.8.x.json b/schemas/graphql-proxy-cache-advanced/3.8.x.json index d165e82..641b0e2 100644 --- a/schemas/graphql-proxy-cache-advanced/3.8.x.json +++ b/schemas/graphql-proxy-cache-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,22 +35,22 @@ "fields": [ { "strategy": { + "description": "The backing data store in which to hold cached entities. Accepted value is `memory`.", "required": true, - "type": "string", - "default": "memory", "one_of": [ "memory", "redis" ], - "description": "The backing data store in which to hold cached entities. Accepted value is `memory`." + "type": "string", + "default": "memory" } }, { "cache_ttl": { - "gt": 0, - "default": 300, "description": "TTL in seconds of cache entities. Must be a value greater than 0.", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 300 } }, { @@ -61,224 +58,125 @@ "fields": [ { "dictionary_name": { - "required": true, - "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. This dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string" + "type": "string", + "required": true, + "default": "kong_db_cache" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -289,181 +187,314 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "bypass_on_err": { - "default": false, "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/graphql-rate-limiting-advanced/3.8.x.json b/schemas/graphql-rate-limiting-advanced/3.8.x.json index bf90f6f..6274df8 100644 --- a/schemas/graphql-rate-limiting-advanced/3.8.x.json +++ b/schemas/graphql-rate-limiting-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,324 +35,225 @@ "fields": [ { "identifier": { + "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`.", "required": true, - "type": "string", - "default": "consumer", "one_of": [ "ip", "credential", "consumer" ], - "description": "How to define the rate limit key. Can be `ip`, `credential`, `consumer`." + "type": "string", + "default": "consumer" } }, { "window_size": { - "required": true, + "description": "One or more window sizes to apply a limit to (defined in seconds).", "type": "array", + "required": true, "elements": { "type": "number" - }, - "description": "One or more window sizes to apply a limit to (defined in seconds)." + } } }, { "window_type": { + "description": "Sets the time window to either `sliding` or `fixed`.", "type": "string", "default": "sliding", "one_of": [ "fixed", "sliding" - ], - "description": "Sets the time window to either `sliding` or `fixed`." + ] } }, { "limit": { - "required": true, + "description": "One or more requests-per-window limits to apply.", "type": "array", + "required": true, "elements": { "type": "number" - }, - "description": "One or more requests-per-window limits to apply." + } } }, { "sync_rate": { - "required": true, + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds.", "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 syncs the counters in that many number of seconds." + "required": true } }, { "namespace": { + "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", "type": "string", - "auto": true, - "description": "The rate limiting namespace to use for this plugin instance. This namespace is used to share rate limiting counters across different instances. If it is not provided, a random UUID is generated. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same." + "auto": true } }, { "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits.", "required": true, - "type": "string", - "default": "cluster", "one_of": [ "cluster", "redis" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits." + "type": "string", + "default": "cluster" } }, { "dictionary_name": { - "required": true, - "default": "kong_rate_limiting_counters", + "description": "The shared dictionary where counters will be stored until the next sync cycle.", "type": "string", - "description": "The shared dictionary where counters will be stored until the next sync cycle." + "required": true, + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, + "description": "Optionally hide informative response headers. Available options: `true` or `false`.", "type": "boolean", - "description": "Optionally hide informative response headers. Available options: `true` or `false`." + "default": false } }, { "cost_strategy": { + "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`.", "type": "string", "default": "default", "one_of": [ "default", "node_quantifier" - ], - "description": "Strategy to use to evaluate query costs. Either `default` or `node_quantifier`." + ] } }, { "score_factor": { - "gt": 0, - "type": "number", - "default": 1, + "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0.", "required": false, - "description": "A scoring factor to multiply (or divide) the cost. The `score_factor` must always be greater than 0." + "type": "number", + "gt": 0, + "default": 1 } }, { "max_cost": { - "required": false, - "default": 0, + "description": "A defined maximum cost per query. 0 means unlimited.", "type": "number", - "description": "A defined maximum cost per query. 0 means unlimited." + "required": false, + "default": 0 } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -372,164 +264,303 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/grpc-gateway/3.8.x.json b/schemas/grpc-gateway/3.8.x.json index 03ba8d8..70622fd 100644 --- a/schemas/grpc-gateway/3.8.x.json +++ b/schemas/grpc-gateway/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +42,18 @@ "fields": [ { "proto": { - "required": false, + "description": "Describes the gRPC types and methods.", "type": "string", - "description": "Describes the gRPC types and methods." + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/grpc-web/3.8.x.json b/schemas/grpc-web/3.8.x.json index 377e7a3..7c096f1 100644 --- a/schemas/grpc-web/3.8.x.json +++ b/schemas/grpc-web/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,30 +42,33 @@ "fields": [ { "proto": { - "required": false, "description": "If present, describes the gRPC types and methods. Required to support payload transcoding. When absent, the web client must use application/grpw-web+proto content.", - "type": "string" + "type": "string", + "required": false } }, { "pass_stripped_path": { - "required": false, "description": "If set to `true` causes the plugin to pass the stripped request path to the upstream gRPC service.", - "type": "boolean" + "type": "boolean", + "required": false } }, { "allow_origin_header": { - "required": false, - "default": "*", "description": "The value of the `Access-Control-Allow-Origin` header in the response to the gRPC-Web client.", - "type": "string" + "type": "string", + "required": false, + "default": "*" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/header-cert-auth/3.8.x.json b/schemas/header-cert-auth/3.8.x.json index 80ece42..94570d8 100644 --- a/schemas/header-cert-auth/3.8.x.json +++ b/schemas/header-cert-auth/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,28 +43,28 @@ "fields": [ { "certificate_header_name": { + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy.", "required": true, - "type": "string", - "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy." + "type": "string" } }, { "certificate_header_format": { + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`.", "required": true, + "type": "string", "one_of": [ "base64_encoded", "url_encoded" - ], - "type": "string", - "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`." + ] } }, { "secure_source": { - "required": true, - "default": true, "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option).", - "type": "boolean" + "type": "boolean", + "required": true, + "default": true } }, { @@ -78,6 +75,7 @@ }, { "consumer_by": { + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "required": false, "elements": { "type": "string", @@ -90,82 +88,81 @@ "default": [ "username", "custom_id" - ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { - "required": true, "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "type": "array", + "required": true, "elements": { - "uuid": true, - "type": "string" - }, - "type": "array" + "type": "string", + "uuid": true + } } }, { "cache_ttl": { - "required": true, - "default": 60, "description": "Cache expiry time in seconds.", - "type": "number" + "type": "number", + "required": true, + "default": 60 } }, { "skip_consumer_lookup": { - "required": true, - "default": false, "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "allow_partial_chain": { - "required": true, - "default": false, "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "authenticated_group_by": { + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, - "type": "string", - "default": "CN", "one_of": [ "CN", "DN" ], - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + "type": "string", + "default": "CN" } }, { "revocation_check_mode": { + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, - "type": "string", - "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + "type": "string", + "default": "IGNORE_CA_ERROR" } }, { "http_timeout": { - "default": 30000, "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", - "type": "number" + "type": "number", + "default": 30000 } }, { "cert_cache_ttl": { - "default": 60000, "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", - "type": "number" + "type": "number", + "default": 60000 } }, { @@ -176,38 +173,38 @@ }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -222,8 +219,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/hmac-auth/3.8.x.json b/schemas/hmac-auth/3.8.x.json index 5fdc7d3..b3b458c 100644 --- a/schemas/hmac-auth/3.8.x.json +++ b/schemas/hmac-auth/3.8.x.json @@ -1,25 +1,15 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.algorithms" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -28,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -38,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,55 +46,50 @@ "fields": [ { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "default": false } }, { "clock_skew": { - "gt": 0, - "default": 300, + "description": "Clock skew in seconds to prevent replay attacks.", "type": "number", - "description": "Clock skew in seconds to prevent replay attacks." + "gt": 0, + "default": 300 } }, { "anonymous": { - "type": "string", - "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (Consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "validate_request_body": { + "description": "A boolean value telling the plugin to enable body validation.", "required": true, - "default": false, "type": "boolean", - "description": "A boolean value telling the plugin to enable body validation." + "default": false } }, { "enforce_headers": { "description": "A list of headers that the client should at least use for HTTP signature creation.", - "default": [ - - ], + "type": "array", "elements": { "type": "string" }, - "type": "array" + "default": [ + + ] } }, { "algorithms": { "description": "A list of HMAC digest algorithms that the user wants to support. Allowed values are `hmac-sha1`, `hmac-sha256`, `hmac-sha384`, and `hmac-sha512`", - "default": [ - "hmac-sha1", - "hmac-sha256", - "hmac-sha384", - "hmac-sha512" - ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -113,19 +99,33 @@ "hmac-sha512" ] }, - "type": "array" + "default": [ + "hmac-sha1", + "hmac-sha256", + "hmac-sha384", + "hmac-sha512" + ] } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.algorithms" + ] } } ] diff --git a/schemas/http-log/3.8.x.json b/schemas/http-log/3.8.x.json index f45f223..9a8a64f 100644 --- a/schemas/http-log/3.8.x.json +++ b/schemas/http-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,81 +42,81 @@ "fields": [ { "http_endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "required": true, - "referenceable": true, "type": "string", "encrypted": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "referenceable": true } }, { "method": { + "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`.", "type": "string", "default": "POST", "one_of": [ "POST", "PUT", "PATCH" - ], - "description": "An optional method used to send data to the HTTP server. Supported values are `POST` (default), `PUT`, and `PATCH`." + ] } }, { "content_type": { + "description": "Indicates the type of data sent. The only available option is `application/json`.", "type": "string", "default": "application/json", "one_of": [ "application/json", "application/json; charset=utf-8" - ], - "description": "Indicates the type of data sent. The only available option is `application/json`." + ] } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "number", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed.", "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection will live before being closed." + "default": 60000 } }, { "retry_count": { + "description": "Number of times to retry when sending data to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 10, "message": "http-log: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0", - "old_default": 10 - }, - "description": "Number of times to retry when sending data to the upstream server.", - "type": "integer" + "removal_in_version": "4.0" + } } }, { "queue_size": { + "description": "Maximum number of log entries to be sent on each message to the upstream server.", + "type": "integer", "deprecation": { + "old_default": 1, "message": "http-log: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 1 - }, - "description": "Maximum number of log entries to be sent on each message to the upstream server.", - "type": "integer" + "removal_in_version": "4.0" + } } }, { "flush_timeout": { + "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", + "type": "number", "deprecation": { + "old_default": 2, "message": "http-log: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 2 - }, - "description": "Optional time in seconds. If `queue_size` > 1, this is the max idle time before sending a log with less than `queue_size` records.", - "type": "number" + "removal_in_version": "4.0" + } } }, { @@ -131,7 +128,6 @@ "type": "string" }, "keys": { - "description": "A string representing an HTTP header name.", "match_none": [ { "pattern": "^[Hh][Oo][Ss][Tt]$", @@ -146,7 +142,8 @@ "err": "cannot contain 'Content-Type' header" } ], - "type": "string" + "type": "string", + "description": "A string representing an HTTP header name." } } }, @@ -155,86 +152,86 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -243,18 +240,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ip-restriction/3.8.x.json b/schemas/ip-restriction/3.8.x.json index a8c4562..aa8bec8 100644 --- a/schemas/ip-restriction/3.8.x.json +++ b/schemas/ip-restriction/3.8.x.json @@ -1,17 +1,12 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.allow", - "config.deny" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -23,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -35,8 +28,7 @@ "tls", "grpc", "grpcs" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -44,42 +36,50 @@ "fields": [ { "allow": { + "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - }, - "description": "List of IPs or CIDR ranges to allow. One of `config.allow` or `config.deny` must be specified." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + } } }, { "deny": { + "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified.", "type": "array", "elements": { - "type": "string", - "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16." - }, - "description": "List of IPs or CIDR ranges to deny. One of `config.allow` or `config.deny` must be specified." + "description": "A string representing an IP address or CIDR block, such as 192.168.1.1 or 192.168.0.0/16.", + "type": "string" + } } }, { "status": { - "required": false, "description": "The HTTP status of the requests that will be rejected by the plugin.", - "type": "number" + "type": "number", + "required": false } }, { "message": { - "required": false, "description": "The message to send as a response body to rejected requests.", - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.allow", + "config.deny" + ] + } ] } \ No newline at end of file diff --git a/schemas/jq/3.8.x.json b/schemas/jq/3.8.x.json index 3e8a828..9e42f8c 100644 --- a/schemas/jq/3.8.x.json +++ b/schemas/jq/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,8 +27,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -38,138 +35,134 @@ "fields": [ { "request_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "request_jq_program_options": { - "required": false, - "default": [ - - ], "fields": [ { "compact_output": { "required": true, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "raw_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "join_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ascii_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "sort_keys": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "type": "record" + "required": false, + "type": "record", + "default": [ + + ] } }, { "request_if_media_type": { - "required": false, - "default": [ - "application/json" - ], "elements": { "type": "string" }, - "type": "array" + "required": false, + "type": "array", + "default": [ + "application/json" + ] } }, { "response_jq_program": { - "required": false, - "type": "string" + "type": "string", + "required": false } }, { "response_jq_program_options": { - "required": false, - "default": [ - - ], "fields": [ { "compact_output": { "required": true, - "default": true, - "type": "boolean" + "type": "boolean", + "default": true } }, { "raw_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "join_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "ascii_output": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } }, { "sort_keys": { "required": true, - "default": false, - "type": "boolean" + "type": "boolean", + "default": false } } ], - "type": "record" + "required": false, + "type": "record", + "default": [ + + ] } }, { "response_if_media_type": { - "required": false, - "default": [ - "application/json" - ], "elements": { "type": "string" }, - "type": "array" + "required": false, + "type": "array", + "default": [ + "application/json" + ] } }, { "response_if_status_code": { - "required": false, - "default": [ - 200 - ], "elements": { "between": [ 100, @@ -177,11 +170,15 @@ ], "type": "integer" }, - "type": "array" + "required": false, + "type": "array", + "default": [ + 200 + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -190,8 +187,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/json-threat-protection/3.8.x.json b/schemas/json-threat-protection/3.8.x.json index e430db6..a49e1e7 100644 --- a/schemas/json-threat-protection/3.8.x.json +++ b/schemas/json-threat-protection/3.8.x.json @@ -1,25 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.max_body_size", - "config.max_container_depth" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -36,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,111 +43,121 @@ "fields": [ { "max_body_size": { + "description": "Max size of the request body. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": 8192, - "description": "Max size of the request body. -1 means unlimited." + "type": "integer", + "default": 8192 } }, { "max_container_depth": { + "description": "Max nested depth of objects and arrays. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max nested depth of objects and arrays. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_object_entry_count": { + "description": "Max number of entries in an object. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max number of entries in an object. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_object_entry_name_length": { + "description": "Max string length of object name. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max string length of object name. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_array_element_count": { + "description": "Max number of elements in an array. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max number of elements in an array. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "max_string_value_length": { + "description": "Max string value length. -1 means unlimited.", "required": false, - "type": "integer", "between": [ -1, 2147483648 ], - "default": -1, - "description": "Max string value length. -1 means unlimited." + "type": "integer", + "default": -1 } }, { "enforcement_mode": { + "description": "Enforcement mode of the security policy.", "required": false, - "type": "string", - "default": "block", "one_of": [ "block", "log_only" ], - "description": "Enforcement mode of the security policy." + "type": "string", + "default": "block" } }, { "error_status_code": { + "description": "The response status code when validation fails.", "required": false, - "type": "integer", "between": [ 400, 499 ], - "default": 400, - "description": "The response status code when validation fails." + "type": "integer", + "default": 400 } }, { "error_message": { + "description": "The response message when validation fails", "required": false, - "default": "Bad Request", "type": "string", - "description": "The response message when validation fails" + "default": "Bad Request" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.max_body_size", + "config.max_container_depth" + ] } } ] diff --git a/schemas/jwe-decrypt/3.8.x.json b/schemas/jwe-decrypt/3.8.x.json index b408e68..f30147c 100644 --- a/schemas/jwe-decrypt/3.8.x.json +++ b/schemas/jwe-decrypt/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,23 +19,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,41 +43,44 @@ "fields": [ { "lookup_header_name": { - "required": true, - "default": "Authorization", + "description": "The name of the header to look for the JWE token.", "type": "string", - "description": "The name of the header to look for the JWE token." + "required": true, + "default": "Authorization" } }, { "forward_header_name": { - "required": true, - "default": "Authorization", + "description": "The name of the header that is used to set the decrypted value.", "type": "string", - "description": "The name of the header that is used to set the decrypted value." + "required": true, + "default": "Authorization" } }, { "key_sets": { - "required": true, + "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token.", "type": "array", + "required": true, "elements": { "type": "string" - }, - "description": "Denote the name or names of all Key Sets that should be inspected when trying to find a suitable key to decrypt the JWE token." + } } }, { "strict": { - "default": true, + "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found.", "type": "boolean", - "description": "Defines how the plugin behaves in cases where no token was found in the request. When using `strict` mode, the request requires a token to be present and subsequently raise an error if none could be found." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/jwt-signer/3.8.x.json b/schemas/jwt-signer/3.8.x.json index 7a375f7..1f21e36 100644 --- a/schemas/jwt-signer/3.8.x.json +++ b/schemas/jwt-signer/3.8.x.json @@ -1,27 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config.access_token_upstream_header", - "config.channel_token_upstream_header", - "config.original_access_token_upstream_header", - "config.original_channel_token_upstream_header" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -38,162 +27,161 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "fields": [ { "realm": { + "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends an `WWW-Authenticate` header with the `realm` attribute value." + "type": "string" } }, { "enable_hs_signatures": { + "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", "required": false, - "default": false, "type": "boolean", - "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting." + "default": false } }, { "enable_instrumentation": { + "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", "required": false, - "default": false, "type": "boolean", - "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level." + "default": false } }, { "access_token_issuer": { + "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", "required": false, - "default": "kong", "type": "string", - "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token." + "default": "kong" } }, { "access_token_keyset": { + "description": "The name of the keyset containing signing keys.", "required": false, - "default": "kong", "type": "string", - "description": "The name of the keyset containing signing keys." + "default": "kong" } }, { "access_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`" + "referenceable": true } }, { "access_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`" + "referenceable": true, + "encrypted": true } }, { "access_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "access_token_keyset_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation." + "default": 0 } }, { "access_token_jwks_uri": { - "required": false, "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", + "required": false, "type": "string" } }, { "access_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`" + "referenceable": true } }, { "access_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`" + "referenceable": true, + "encrypted": true } }, { "access_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "access_token_jwks_uri_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation." + "default": 0 } }, { "access_token_request_header": { + "description": "This parameter tells the name of the header where to look for the access token.", "required": false, - "default": "Authorization", "type": "string", - "description": "This parameter tells the name of the header where to look for the access token." + "default": "Authorization" } }, { "access_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer and Kong. The value is added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`." + "default": 0 } }, { "access_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`." + } } }, { "access_token_scopes_claim": { + "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "required": false, "elements": { "type": "string" @@ -201,22 +189,22 @@ "type": "array", "default": [ "scope" - ], - "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`." + ] } }, { "access_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity." + } } }, { "access_token_consumer_by": { + "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`.", "required": false, "elements": { "type": "string", @@ -230,77 +218,77 @@ "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of alues. Valid values are `id`, `username`, and `custom_id`." + ] } }, { "access_token_upstream_header": { + "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", "required": false, - "default": "Authorization:Bearer", "type": "string", - "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token." + "default": "Authorization:Bearer" } }, { "access_token_upstream_leeway": { + "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", "required": false, - "default": 0, "type": "number", - "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim." + "default": 0 } }, { "access_token_introspection_endpoint": { - "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", + "required": false, "type": "string" } }, { "access_token_introspection_authorization": { + "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "required": false, - "type": "string", - "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter." + "type": "string" } }, { "access_token_introspection_body_args": { + "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "required": false, - "type": "string", - "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`." + "type": "string" } }, { "access_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", "required": false, - "default": "access_token", "type": "string", - "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`." + "default": "access_token" } }, { "access_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`." + } } }, { "access_token_introspection_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`." + } } }, { "access_token_introspection_scopes_claim": { + "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "required": true, "elements": { "type": "string" @@ -308,22 +296,22 @@ "type": "array", "default": [ "scope" - ], - "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, hich can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`." + ] } }, { "access_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity." + } } }, { "access_token_introspection_consumer_by": { + "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "required": false, "elements": { "type": "string", @@ -337,30 +325,28 @@ "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values." + ] } }, { "access_token_introspection_leeway": { + "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value is added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`." + "default": 0 } }, { "access_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "required": false, - "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection." + "type": "number" } }, { "access_token_signing_algorithm": { + "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "required": true, - "type": "string", - "default": "RS256", "one_of": [ "HS256", "HS384", @@ -375,43 +361,45 @@ "PS512", "EdDSA" ], - "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm." + "type": "string", + "default": "RS256" } }, { "add_access_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "set_access_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "remove_access_token_claims": { + "description": "remove claims. It should be an array, and each element is a claim key string.", "required": false, "elements": { "type": "string" @@ -419,205 +407,205 @@ "type": "array", "default": [ - ], - "description": "remove claims. It should be an array, and each element is a claim key string." + ] } }, { "original_access_token_upstream_header": { + "description": "The HTTP header name used to store the original access token.", "required": false, - "type": "string", - "description": "The HTTP header name used to store the original access token." + "type": "string" } }, { "access_token_optional": { + "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", "required": false, - "default": false, "type": "boolean", - "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect" + "default": false } }, { "verify_access_token_signature": { + "description": "Quickly turn access token signature verification off and on as needed.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn access token signature verification off and on as needed." + "default": true } }, { "verify_access_token_expiry": { + "description": "Quickly turn access token expiry verification off and on as needed.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn access token expiry verification off and on as needed." + "default": true } }, { "verify_access_token_scopes": { + "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`." + "default": true } }, { "verify_access_token_introspection_expiry": { + "description": "Quickly turn access token introspection expiry verification off and on as needed.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn access token introspection expiry verification off and on as needed." + "default": true } }, { "verify_access_token_introspection_scopes": { + "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`." + "default": true } }, { "cache_access_token_introspection": { + "description": "Whether to cache access token introspection results.", "required": false, - "default": true, "type": "boolean", - "description": "Whether to cache access token introspection results." + "default": true } }, { "trust_access_token_introspection": { + "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", "required": false, - "default": true, "type": "boolean", - "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload." + "default": true } }, { "enable_access_token_introspection": { + "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", "required": false, - "default": true, "type": "boolean", - "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection." + "default": true } }, { "channel_token_issuer": { + "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", "required": false, - "default": "kong", "type": "string", - "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token." + "default": "kong" } }, { "channel_token_keyset": { + "description": "The name of the keyset containing signing keys.", "required": false, - "default": "kong", "type": "string", - "description": "The name of the keyset containing signing keys." + "default": "kong" } }, { "channel_token_keyset_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`" + "referenceable": true } }, { "channel_token_keyset_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`" + "referenceable": true, + "encrypted": true } }, { "channel_token_keyset_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "channel_token_keyset_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation." + "default": 0 } }, { "channel_token_jwks_uri": { - "required": false, "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", + "required": false, "type": "string" } }, { "channel_token_jwks_uri_client_username": { + "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "required": false, - "referenceable": true, "type": "string", - "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`" + "referenceable": true } }, { "channel_token_jwks_uri_client_password": { + "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`" + "referenceable": true, + "encrypted": true } }, { "channel_token_jwks_uri_client_certificate": { + "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "required": false, - "reference": "certificates", "type": "foreign", - "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth." + "reference": "certificates" } }, { "channel_token_jwks_uri_rotate_period": { + "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", "required": false, - "default": 0, "type": "number", - "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation." + "default": 0 } }, { "channel_token_request_header": { + "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "required": false, - "type": "string", - "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string)." + "type": "string" } }, { "channel_token_leeway": { + "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "Adjusts clock skew between the token issuer and Kong. The value will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`." + "default": 0 } }, { "channel_token_scopes_required": { + "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`." + } } }, { "channel_token_scopes_claim": { + "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "required": false, "elements": { "type": "string" @@ -625,27 +613,23 @@ "type": "array", "default": [ "scope" - ], - "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims." + ] } }, { "channel_token_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`." + } } }, { "channel_token_consumer_by": { "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", - "default": [ - "username", - "custom_id" - ], + "type": "array", "elements": { "type": "string", "one_of": [ @@ -654,83 +638,87 @@ "custom_id" ] }, - "type": "array" + "default": [ + "username", + "custom_id" + ] } }, { "channel_token_upstream_header": { + "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "required": false, - "type": "string", - "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value." + "type": "string" } }, { "channel_token_upstream_leeway": { + "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", "required": false, - "default": 0, "type": "number", - "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim." + "default": 0 } }, { "channel_token_introspection_endpoint": { - "required": false, "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", + "required": false, "type": "string" } }, { "channel_token_introspection_authorization": { + "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "required": false, "type": "string", "elements": { "type": "string" - }, - "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens." + } } }, { "channel_token_introspection_body_args": { + "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "required": false, "type": "string", "elements": { "type": "string" - }, - "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`." + } } }, { "channel_token_introspection_hint": { + "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "required": false, "type": "string", "elements": { "type": "string" - }, - "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection." + } } }, { "channel_token_introspection_jwt_claim": { + "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong." + } } }, { "channel_token_introspection_scopes_required": { + "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`." + } } }, { "channel_token_introspection_scopes_claim": { + "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "required": false, "elements": { "type": "string" @@ -738,22 +726,22 @@ "type": "array", "default": [ "scope" - ], - "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims." + ] } }, { "channel_token_introspection_consumer_claim": { + "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "required": false, "type": "array", "elements": { "type": "string" - }, - "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity" + } } }, { "channel_token_introspection_consumer_by": { + "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "required": false, "elements": { "type": "string", @@ -767,30 +755,28 @@ "default": [ "username", "custom_id" - ], - "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`." + ] } }, { "channel_token_introspection_leeway": { + "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", "required": false, - "default": 0, "type": "number", - "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`." + "default": 0 } }, { "channel_token_introspection_timeout": { + "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "required": false, - "type": "number", - "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection." + "type": "number" } }, { "channel_token_signing_algorithm": { + "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "required": true, - "type": "string", - "default": "RS256", "one_of": [ "HS256", "HS384", @@ -805,43 +791,45 @@ "PS512", "EdDSA" ], - "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token." + "type": "string", + "default": "RS256" } }, { "add_channel_token_claims": { + "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "set_channel_token_claims": { + "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "remove_channel_token_claims": { + "description": "remove claims. It should be an array, and each element is a claim key string.", "required": false, "elements": { "type": "string" @@ -849,118 +837,117 @@ "type": "array", "default": [ - ], - "description": "remove claims. It should be an array, and each element is a claim key string." + ] } }, { "original_channel_token_upstream_header": { + "description": "The HTTP header name used to store the original channel token.", "required": false, - "type": "string", - "description": "The HTTP header name used to store the original channel token." + "type": "string" } }, { "channel_token_optional": { + "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", "required": false, - "default": false, "type": "boolean", - "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect" + "default": false } }, { "verify_channel_token_signature": { + "description": "Quickly turn on/off the channel token signature verification.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token signature verification." + "default": true } }, { "verify_channel_token_expiry": { + "type": "boolean", "required": false, - "default": true, - "type": "boolean" + "default": true } }, { "verify_channel_token_scopes": { + "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`." + "default": true } }, { "verify_channel_token_introspection_expiry": { + "description": "Quickly turn on/off the channel token introspection expiry verification.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token introspection expiry verification." + "default": true } }, { "verify_channel_token_introspection_scopes": { + "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", "required": false, - "default": true, "type": "boolean", - "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`." + "default": true } }, { "cache_channel_token_introspection": { + "description": "Whether to cache channel token introspection results.", "required": false, - "default": true, "type": "boolean", - "description": "Whether to cache channel token introspection results." + "default": true } }, { "trust_channel_token_introspection": { + "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", "required": false, - "default": true, "type": "boolean", - "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked." + "default": true } }, { "enable_channel_token_introspection": { + "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", "required": false, - "default": true, "type": "boolean", - "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`." + "default": true } }, { "add_claims": { + "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } }, { "set_claims": { + "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "required": false, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value." + ] } } ], @@ -990,8 +977,21 @@ ] } ], + "required": true, "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config.access_token_upstream_header", + "config.channel_token_upstream_header", + "config.original_access_token_upstream_header", + "config.original_channel_token_upstream_header" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/jwt/3.8.x.json b/schemas/jwt/3.8.x.json index 7093c8f..2530ff4 100644 --- a/schemas/jwt/3.8.x.json +++ b/schemas/jwt/3.8.x.json @@ -1,29 +1,16 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.claims_to_verify", - "if_match": { - "gt": 0 - }, - "then_match": { - "contains": "exp" - }, - "if_field": "config.maximum_expiration" - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -40,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -58,102 +44,116 @@ { "uri_param_names": { "description": "A list of querystring parameters that Kong will inspect to retrieve JWTs.", - "default": [ - "jwt" - ], + "type": "set", "elements": { "type": "string" }, - "type": "set" + "default": [ + "jwt" + ] } }, { "cookie_names": { "description": "A list of cookie names that Kong will inspect to retrieve JWTs.", - "default": [ - - ], + "type": "set", "elements": { "type": "string" }, - "type": "set" + "default": [ + + ] } }, { "key_claim_name": { - "default": "iss", + "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order.", "type": "string", - "description": "The name of the claim in which the key identifying the secret must be passed. The plugin will attempt to read this claim from the JWT payload and the header, in that order." + "default": "iss" } }, { "secret_is_base64": { - "required": true, - "default": false, + "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret.", "type": "boolean", - "description": "If true, the plugin assumes the credential’s secret to be base64 encoded. You will need to create a base64-encoded secret for your Consumer, and sign your JWT with the original secret." + "required": true, + "default": false } }, { "claims_to_verify": { "description": "A list of registered claims (according to RFC 7519) that Kong can verify as well. Accepted values: one of exp or nbf.", + "type": "set", "elements": { "type": "string", "one_of": [ "exp", "nbf" ] - }, - "type": "set" + } } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "run_on_preflight": { - "required": true, - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on OPTIONS preflight requests. If set to false, then OPTIONS requests will always be allowed." + "required": true, + "default": true } }, { "maximum_expiration": { + "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future.", + "type": "number", "between": [ 0, 31536000 ], - "default": 0, - "type": "number", - "description": "A value between 0 and 31536000 (365 days) limiting the lifetime of the JWT to maximum_expiration seconds in the future." + "default": 0 } }, { "header_names": { "description": "A list of HTTP header names that Kong will inspect to retrieve JWTs.", - "default": [ - "authorization" - ], + "type": "set", "elements": { "type": "string" }, - "type": "set" + "default": [ + "authorization" + ] } }, { "realm": { - "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.maximum_expiration", + "if_match": { + "gt": 0 + }, + "then_field": "config.claims_to_verify", + "then_match": { + "contains": "exp" + } } } ] diff --git a/schemas/kafka-log/3.8.x.json b/schemas/kafka-log/3.8.x.json index e6b4d0d..00a3677 100644 --- a/schemas/kafka-log/3.8.x.json +++ b/schemas/kafka-log/3.8.x.json @@ -1,11 +1,7 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -14,6 +10,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -24,15 +22,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -41,20 +38,21 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", "elements": { "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -64,22 +62,21 @@ } ], "type": "record" - }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } } }, { "topic": { - "required": true, "description": "The Kafka topic to publish to.", - "type": "string" + "type": "string", + "required": true } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { @@ -99,54 +96,54 @@ "fields": [ { "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", + "type": "string", "required": false, "one_of": [ "sasl" - ], - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "type": "string" + ] } }, { "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", + "type": "string", "required": false, "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "description": "The SASL authentication mechanism. Supported options: `PLAIN` or `SCRAM-SHA-256`.", - "type": "string" + ] } }, { "tokenauth": { - "required": false, "description": "Enable this to indicate `DelegationToken` authentication", - "type": "boolean" + "type": "boolean", + "required": false } }, { "user": { + "description": "Username for SASL authentication.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Username for SASL authentication." + "referenceable": true } }, { "password": { + "description": "Password for SASL authentication.", "required": false, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Password for SASL authentication." + "referenceable": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -154,98 +151,98 @@ "fields": [ { "certificate_id": { - "required": false, - "uuid": true, "description": "UUID of certificate entity for mTLS authentication.", - "type": "string" + "uuid": true, + "type": "string", + "required": false } }, { "ssl": { - "required": false, "description": "Enables TLS.", - "type": "boolean" + "type": "boolean", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "cluster_name": { - "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", "auto": true, - "type": "string" + "type": "string", + "required": false } }, { "producer_request_acks": { "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", "default": 1, "one_of": [ -1, 0, 1 - ], - "type": "integer" + ] } }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds", - "type": "integer" + "type": "integer", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single Produce request.", - "type": "integer" + "type": "integer", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "default": 100 } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 50000 } }, { @@ -254,16 +251,16 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -273,8 +270,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/kafka-upstream/3.8.x.json b/schemas/kafka-upstream/3.8.x.json index 135fc96..1229e54 100644 --- a/schemas/kafka-upstream/3.8.x.json +++ b/schemas/kafka-upstream/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,20 +35,21 @@ "fields": [ { "bootstrap_servers": { + "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format.", "type": "set", "elements": { "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -61,35 +59,34 @@ } ], "type": "record" - }, - "description": "Set of bootstrap brokers in a `{host: host, port: port}` list format." + } } }, { "topic": { - "required": true, "description": "The Kafka topic to publish to.", + "required": true, "type": "string" } }, { "timeout": { - "default": 10000, "description": "Socket timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "Keepalive timeout in milliseconds.", - "type": "integer" + "type": "integer", + "default": 60000 } }, { "keepalive_enabled": { - "type": "boolean", - "default": false + "default": false, + "type": "boolean" } }, { @@ -97,54 +94,54 @@ "fields": [ { "strategy": { + "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", "required": false, + "type": "string", "one_of": [ "sasl" - ], - "description": "The authentication strategy for the plugin, the only option for the value is `sasl`.", - "type": "string" + ] } }, { "mechanism": { + "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", "required": false, + "type": "string", "one_of": [ "PLAIN", "SCRAM-SHA-256", "SCRAM-SHA-512" - ], - "description": "The SASL authentication mechanism. Supported options: `PLAIN`, `SCRAM-SHA-256`, or `SCRAM-SHA-512`.", - "type": "string" + ] } }, { "tokenauth": { - "required": false, "description": "Enable this to indicate `DelegationToken` authentication.", + "required": false, "type": "boolean" } }, { "user": { + "description": "Username for SASL authentication.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Username for SASL authentication." + "referenceable": true, + "encrypted": true } }, { "password": { + "description": "Password for SASL authentication.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "Password for SASL authentication." + "referenceable": true, + "encrypted": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -152,56 +149,56 @@ "fields": [ { "certificate_id": { + "description": "UUID of certificate entity for mTLS authentication.", "required": false, "uuid": true, - "description": "UUID of certificate entity for mTLS authentication.", "type": "string" } }, { "ssl": { - "required": false, "description": "Enables TLS.", + "required": false, "type": "boolean" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "forward_method": { - "default": false, "description": "Include the request method in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_uri": { - "default": false, "description": "Include the request URI and URI arguments (as in, query arguments) in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_headers": { - "default": false, "description": "Include the request headers in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "forward_body": { - "default": true, "description": "Include the request body in the message. At least one of these must be true: `forward_method`, `forward_uri`, `forward_headers`, `forward_body`.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "cluster_name": { - "required": false, "description": "An identifier for the Kafka cluster. By default, this field generates a random string. You can also set your own custom cluster identifier. If more than one Kafka plugin is configured without a `cluster_name` (that is, if the default autogenerated value is removed), these plugins will use the same producer, and by extension, the same cluster. Logs will be sent to the leader of the cluster.", + "required": false, "auto": true, "type": "string" } @@ -209,73 +206,73 @@ { "producer_request_acks": { "description": "The number of acknowledgments the producer requires the leader to have received before considering a request complete. Allowed values: 0 for no acknowledgments; 1 for only the leader; and -1 for the full ISR (In-Sync Replica set).", + "type": "integer", "default": 1, "one_of": [ -1, 0, 1 - ], - "type": "integer" + ] } }, { "producer_request_timeout": { - "default": 2000, "description": "Time to wait for a Produce response in milliseconds.", - "type": "integer" + "type": "integer", + "default": 2000 } }, { "producer_request_limits_messages_per_request": { - "default": 200, "description": "Maximum number of messages to include into a single producer request.", - "type": "integer" + "type": "integer", + "default": 200 } }, { "producer_request_limits_bytes_per_request": { - "default": 1048576, "description": "Maximum size of a Produce request in bytes.", - "type": "integer" + "type": "integer", + "default": 1048576 } }, { "producer_request_retries_max_attempts": { - "default": 10, "description": "Maximum number of retry attempts per single Produce request.", - "type": "integer" + "type": "integer", + "default": 10 } }, { "producer_request_retries_backoff_timeout": { - "default": 100, "description": "Backoff interval between retry attempts in milliseconds.", - "type": "integer" + "type": "integer", + "default": 100 } }, { "producer_async": { - "default": true, "description": "Flag to enable asynchronous mode.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "producer_async_flush_timeout": { - "default": 1000, "description": "Maximum time interval in milliseconds between buffer flushes in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 1000 } }, { "producer_async_buffering_limits_messages_in_memory": { - "default": 50000, "description": "Maximum number of messages that can be buffered in memory in asynchronous mode.", - "type": "integer" + "type": "integer", + "default": 50000 } } ], - "required": true, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -295,8 +292,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth-enc/3.8.x.json b/schemas/key-auth-enc/3.8.x.json index dda5896..c141f8d 100644 --- a/schemas/key-auth-enc/3.8.x.json +++ b/schemas/key-auth-enc/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,70 +46,73 @@ "fields": [ { "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "Describes an array of parameter names where the plugin will look for a key. The client must send the authentication key in one of those key names, and the plugin will try to read the credential from a header, request body, or query string parameter with the same name. Key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "default": false, + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it.", "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request (i.e., the header, query string, or request body containing the key) before proxying it." + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "key_in_header": { - "default": true, + "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", "type": "boolean", - "description": "If enabled (default), the plugin reads the request header and tries to find the key in it." + "default": true } }, { "key_in_query": { - "default": true, + "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", "type": "boolean", - "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it." + "default": true } }, { "key_in_body": { - "default": false, + "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", "type": "boolean", - "description": "If enabled, the plugin reads the request body (if said request has one and its MIME type is supported) and tries to find the key in it. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`." + "default": false } }, { "run_on_preflight": { - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed." + "default": true } }, { "realm": { - "required": false, + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/key-auth/3.8.x.json b/schemas/key-auth/3.8.x.json index 709fec5..f391803 100644 --- a/schemas/key-auth/3.8.x.json +++ b/schemas/key-auth/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,24 +46,24 @@ "fields": [ { "key_names": { + "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "Describes an array of parameter names where the plugin will look for a key. The key names may only contain [a-z], [A-Z], [0-9], [_] underscore, and [-] hyphen." + ] } }, { "hide_credentials": { - "required": true, - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin strips the credential from the request.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { @@ -77,47 +74,50 @@ }, { "key_in_header": { - "required": true, - "default": true, "description": "If enabled (default), the plugin reads the request header and tries to find the key in it.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": true } }, { "key_in_query": { - "required": true, - "default": true, "description": "If enabled (default), the plugin reads the query parameter in the request and tries to find the key in it.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": true } }, { "key_in_body": { - "required": true, - "default": false, "description": "If enabled, the plugin reads the request body. Supported MIME types: `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "required": true, - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests are always allowed.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": true } }, { "realm": { - "required": false, "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", + "required": false, "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/konnect-application-auth/3.8.x.json b/schemas/konnect-application-auth/3.8.x.json index 10c57bc..3ab638a 100644 --- a/schemas/konnect-application-auth/3.8.x.json +++ b/schemas/konnect-application-auth/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,157 +43,162 @@ "fields": [ { "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } }, { "auth_type": { + "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'.", "required": true, - "type": "string", - "default": "openid-connect", "one_of": [ "openid-connect", "key-auth", "v2-strategies" ], - "description": "The type of authentication to be performed. Possible values are: 'openid-connect', 'key-auth', 'v2-strategies'." + "type": "string", + "default": "openid-connect" } }, { "scope": { - "required": true, - "type": "string", + "description": "The unique scope identifier for the plugin configuration.", "unique": true, - "description": "The unique scope identifier for the plugin configuration." + "required": true, + "type": "string" } }, { "v2_strategies": { + "description": "The map of v2 strategies.", "required": false, "type": "record", "fields": [ { "key_auth": { + "description": "List of key_auth strategies.", "required": false, "type": "array", "elements": { "fields": [ { "strategy_id": { + "description": "The strategy id the config is tied to.", "required": true, - "type": "string", - "description": "The strategy id the config is tied to." + "type": "string" } }, { "config": { - "required": true, "fields": [ { "key_names": { + "description": "The names of the headers containing the API key. You can specify multiple header names.", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "array", "default": [ "apikey" - ], - "description": "The names of the headers containing the API key. You can specify multiple header names." + ] } } ], - "type": "record" + "type": "record", + "required": true } } ], "type": "record" - }, - "description": "List of key_auth strategies." + } } }, { "openid_connect": { + "description": "List of openid_connect strategies.", "required": false, "type": "array", "elements": { "fields": [ { "strategy_id": { + "description": "The strategy id the config is tied to.", "required": true, - "type": "string", - "description": "The strategy id the config is tied to." + "type": "string" } }, { "config": { + "description": "openid-connect plugin configuration.", + "type": "record", "fields": [ { "issuer": { - "required": true, "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, "type": "string" } }, { "using_pseudo_issuer": { - "required": false, - "default": false, + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", "type": "boolean", - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "required": false, + "default": false } }, { "discovery_headers_names": { - "required": false, + "description": "Extra header names passed to the discovery endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { "discovery_headers_values": { - "required": false, + "description": "Extra header values passed to the discovery endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header values passed to the discovery endpoint." + } } }, { "extra_jwks_uris": { - "required": false, + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", "type": "set", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "rediscovery_lifetime": { - "required": false, - "default": 30, + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", "type": "number", - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "required": false, + "default": 30 } }, { "auth_methods": { + "description": "Types of credentials/grants to enable.", "required": false, "elements": { "type": "string", @@ -223,38 +225,38 @@ "kong_oauth2", "refresh_token", "session" - ], - "description": "Types of credentials/grants to enable." + ] } }, { "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", "required": false, "elements": { "type": "string", "referenceable": true }, "type": "array", - "encrypted": true, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "encrypted": true } }, { "client_secret": { + "description": "The client secret.", "required": false, "elements": { "type": "string", "referenceable": true }, "type": "array", - "encrypted": true, - "description": "The client secret." + "encrypted": true } }, { "client_auth": { - "required": false, + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -266,16 +268,15 @@ "self_signed_tls_client_auth", "none" ] - }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + } } }, { "client_jwk": { - "required": false, + "description": "The JWK used for the private_key_jwt authentication.", "type": "array", + "required": false, "elements": { - "required": false, "fields": [ { "issuer": { @@ -298,11 +299,11 @@ { "key_ops": { "required": false, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { @@ -326,11 +327,11 @@ { "x5c": { "required": false, + "type": "array", "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { @@ -347,10 +348,10 @@ }, { "k": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { @@ -385,86 +386,87 @@ }, { "d": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "p": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "q": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "dp": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "dq": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "qi": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "oth": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "r": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } }, { "t": { - "required": false, - "referenceable": true, "encrypted": true, - "type": "string" + "required": false, + "type": "string", + "referenceable": true } } ], - "type": "record" - }, - "description": "The JWK used for the private_key_jwt authentication." + "type": "record", + "required": false + } } }, { "client_alg": { - "required": false, + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -482,123 +484,121 @@ "PS512", "EdDSA" ] - }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + } } }, { "client_arg": { - "required": false, - "default": "client_id", + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", "type": "string", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "required": false, + "default": "client_id" } }, { "redirect_uri": { - "required": false, + "description": "The redirect URI passed to the authorization and token endpoints.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "login_redirect_uri": { - "required": false, + "description": "Where to redirect the client when `login_action` is set to `redirect`.", "type": "array", + "required": false, "elements": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + "type": "string", + "referenceable": true + } } }, { "logout_redirect_uri": { - "required": false, + "description": "Where to redirect the client after the logout.", "type": "array", + "required": false, "elements": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - }, - "description": "Where to redirect the client after the logout." + "type": "string", + "referenceable": true + } } }, { "forbidden_redirect_uri": { - "required": false, + "description": "Where to redirect the client on forbidden requests.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "forbidden_error_message": { - "required": false, - "default": "Forbidden", + "description": "The error message for the forbidden requests (when not using the redirection).", "type": "string", - "description": "The error message for the forbidden requests (when not using the redirection)." + "required": false, + "default": "Forbidden" } }, { "forbidden_destroy_session": { - "required": false, - "default": true, + "description": "Destroy any active session for the forbidden requests.", "type": "boolean", - "description": "Destroy any active session for the forbidden requests." + "required": false, + "default": true } }, { "unauthorized_destroy_session": { - "required": false, - "default": true, + "description": "Destroy any active session for the unauthorized requests.", "type": "boolean", - "description": "Destroy any active session for the unauthorized requests." + "required": false, + "default": true } }, { "unauthorized_redirect_uri": { - "required": false, + "description": "Where to redirect the client on unauthorized requests.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "unauthorized_error_message": { - "required": false, - "default": "Unauthorized", + "description": "The error message for the unauthorized requests (when not using the redirection).", "type": "string", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "required": false, + "default": "Unauthorized" } }, { "unexpected_redirect_uri": { - "required": false, + "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { "response_mode": { + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", "required": false, - "type": "string", - "default": "query", "one_of": [ "query", "form_post", @@ -608,11 +608,13 @@ "fragment.jwt", "jwt" ], - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type." + "type": "string", + "default": "query" } }, { "response_type": { + "description": "The response type passed to the authorization endpoint.", "required": false, "elements": { "type": "string" @@ -620,12 +622,12 @@ "type": "array", "default": [ "code" - ], - "description": "The response type passed to the authorization endpoint." + ] } }, { "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", "required": false, "elements": { "type": "string", @@ -634,42 +636,42 @@ "type": "array", "default": [ "openid" - ], - "description": "The scopes passed to the authorization and token endpoints." + ] } }, { "audience": { - "required": false, + "description": "The audience passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + } } }, { "issuers_allowed": { - "required": false, + "description": "The issuers allowed to be present in the tokens (`iss` claim).", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + } } }, { "scopes_required": { - "required": false, + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "scopes_claim": { + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -677,22 +679,22 @@ "type": "array", "default": [ "scope" - ], - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "audience_required": { - "required": false, + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "audience_claim": { + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -700,22 +702,22 @@ "type": "array", "default": [ "aud" - ], - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "groups_required": { - "required": false, + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "groups_claim": { + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -723,22 +725,22 @@ "type": "array", "default": [ "groups" - ], - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "roles_required": { - "required": false, + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { "roles_claim": { + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -746,46 +748,47 @@ "type": "array", "default": [ "roles" - ], - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "domains": { - "required": false, + "description": "The allowed values for the `hd` claim.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." + } } }, { "max_age": { - "required": false, + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", "type": "number", - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + "required": false } }, { "authenticated_groups_claim": { - "required": false, + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "pushed_authorization_request_endpoint": { - "required": false, "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -795,153 +798,153 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "require_pushed_authorization_requests": { - "required": false, + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", "type": "boolean", - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." + "required": false } }, { "require_proof_key_for_code_exchange": { - "required": false, + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", "type": "boolean", - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." + "required": false } }, { "require_signed_request_object": { - "required": false, + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", "type": "boolean", - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled)." + "required": false } }, { "authorization_endpoint": { - "required": false, "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "authorization_query_args_names": { - "required": false, + "description": "Extra query argument names passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the authorization endpoint." + } } }, { "authorization_query_args_values": { - "required": false, + "description": "Extra query argument values passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { "authorization_query_args_client": { - "required": false, + "description": "Extra query arguments passed from the client to the authorization endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { "authorization_rolling_timeout": { - "required": false, - "default": 600, + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "type": "number", - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "required": false, + "default": 600 } }, { "authorization_cookie_name": { - "required": false, - "default": "authorization", + "description": "The authorization cookie name.", "type": "string", - "description": "The authorization cookie name." + "required": false, + "default": "authorization" } }, { "authorization_cookie_path": { + "description": "The authorization cookie Path flag.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The authorization cookie Path flag." + "default": "/" } }, { "authorization_cookie_domain": { - "required": false, + "description": "The authorization cookie Domain flag.", "type": "string", - "description": "The authorization cookie Domain flag." + "required": false } }, { "authorization_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "type": "string", - "default": "Default", "one_of": [ "Strict", "Lax", "None", "Default" ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + "type": "string", + "default": "Default" } }, { "authorization_cookie_http_only": { - "required": false, - "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "required": false, + "default": true } }, { "authorization_cookie_secure": { - "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "preserve_query_args": { - "required": false, - "default": false, + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", "type": "boolean", - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "required": false, + "default": false } }, { "token_endpoint": { - "required": false, "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -951,62 +954,61 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "token_headers_names": { - "required": false, + "description": "Extra header names passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the token endpoint." + } } }, { "token_headers_values": { - "required": false, + "description": "Extra header values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { "token_headers_client": { - "required": false, + "description": "Extra headers passed from the client to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { "token_headers_replay": { - "required": false, + "description": "The names of token endpoint response headers to forward to the downstream client.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." + } } }, { "token_headers_prefix": { - "required": false, + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", "type": "string", - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + "required": false } }, { "token_headers_grants": { - "required": false, + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -1015,49 +1017,50 @@ "authorization_code", "refresh_token" ] - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." + } } }, { "token_post_args_names": { - "required": false, + "description": "Extra post argument names passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { "token_post_args_values": { - "required": false, + "description": "Extra post argument values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { "token_post_args_client": { - "required": false, + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } } }, { "introspection_endpoint": { - "required": false, "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -1067,119 +1070,119 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "introspection_hint": { - "required": false, - "default": "access_token", + "description": "Introspection hint parameter value passed to the introspection endpoint.", "type": "string", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "required": false, + "default": "access_token" } }, { "introspection_check_active": { - "required": false, - "default": true, + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "type": "boolean", - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "required": false, + "default": true } }, { "introspection_accept": { + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, - "type": "string", - "default": "application/json", "one_of": [ "application/json", "application/token-introspection+jwt", "application/jwt" ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + "type": "string", + "default": "application/json" } }, { "introspection_headers_names": { - "required": false, + "description": "Extra header names passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + } } }, { "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", "required": false, "elements": { "type": "string", "referenceable": true }, "type": "array", - "encrypted": true, - "description": "Extra header values passed to the introspection endpoint." + "encrypted": true } }, { "introspection_headers_client": { - "required": false, + "description": "Extra headers passed from the client to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + } } }, { "introspection_post_args_names": { - "required": false, + "description": "Extra post argument names passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + } } }, { "introspection_post_args_values": { - "required": false, + "description": "Extra post argument values passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + } } }, { "introspection_post_args_client": { - "required": false, + "description": "Extra post arguments passed from the client to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + } } }, { "introspect_jwt_tokens": { - "required": false, - "default": false, + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", "type": "boolean", - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "required": false, + "default": false } }, { "revocation_endpoint": { - "required": false, "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -1189,240 +1192,239 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { "end_session_endpoint": { - "required": false, "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "userinfo_endpoint": { - "required": false, "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "userinfo_accept": { + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, - "type": "string", - "default": "application/json", "one_of": [ "application/json", "application/jwt" ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + "type": "string", + "default": "application/json" } }, { "userinfo_headers_names": { - "required": false, + "description": "Extra header names passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + } } }, { "userinfo_headers_values": { - "required": false, + "description": "Extra header values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." + } } }, { "userinfo_headers_client": { - "required": false, + "description": "Extra headers passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." + } } }, { "userinfo_query_args_names": { - "required": false, + "description": "Extra query argument names passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." + } } }, { "userinfo_query_args_values": { - "required": false, + "description": "Extra query argument values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." + } } }, { "userinfo_query_args_client": { - "required": false, + "description": "Extra query arguments passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." + } } }, { "token_exchange_endpoint": { - "required": false, "description": "The token exchange endpoint.", + "required": false, "type": "string" } }, { "session_secret": { + "description": "The session secret.", "required": false, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The session secret." + "referenceable": true, + "encrypted": true } }, { "session_audience": { - "required": false, - "default": "default", + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." + "required": false, + "default": "default" } }, { "session_cookie_name": { - "required": false, - "default": "session", + "description": "The session cookie name.", "type": "string", - "description": "The session cookie name." + "required": false, + "default": "session" } }, { "session_remember": { - "required": false, - "default": false, + "description": "Enables or disables persistent sessions.", "type": "boolean", - "description": "Enables or disables persistent sessions." + "required": false, + "default": false } }, { "session_remember_cookie_name": { - "required": false, - "default": "remember", + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." + "required": false, + "default": "remember" } }, { "session_remember_rolling_timeout": { - "required": false, - "default": 604800, + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", "type": "number", - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." + "required": false, + "default": 604800 } }, { "session_remember_absolute_timeout": { - "required": false, - "default": 2592000, + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "type": "number", - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "required": false, + "default": 2592000 } }, { "session_idling_timeout": { - "required": false, - "default": 900, + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", "type": "number", - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." + "required": false, + "default": 900 } }, { "session_rolling_timeout": { - "required": false, - "default": 3600, + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", "type": "number", - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "required": false, + "default": 3600 } }, { "session_absolute_timeout": { - "required": false, - "default": 86400, + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", "type": "number", - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." + "required": false, + "default": 86400 } }, { "session_cookie_path": { + "description": "The session cookie Path flag.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The session cookie Path flag." + "default": "/" } }, { "session_cookie_domain": { - "required": false, + "description": "The session cookie Domain flag.", "type": "string", - "description": "The session cookie Domain flag." + "required": false } }, { "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "type": "string", - "default": "Lax", "one_of": [ "Strict", "Lax", "None", "Default" ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." + "type": "string", + "default": "Lax" } }, { "session_cookie_http_only": { - "required": false, - "default": true, + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." + "required": false, + "default": true } }, { "session_cookie_secure": { - "required": false, + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "required": false } }, { "session_request_headers": { - "required": false, "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", + "required": false, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1434,14 +1436,14 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_response_headers": { - "required": false, "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", + "required": false, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -1453,191 +1455,91 @@ "rolling-timeout", "absolute-timeout" ] - }, - "type": "set" + } } }, { "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, - "type": "string", - "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + "type": "string", + "default": "cookie" } }, { "session_store_metadata": { - "required": false, - "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "required": false, + "default": false } }, { "session_enforce_same_subject": { - "required": false, - "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject." + "required": false, + "default": false } }, { "session_hash_subject": { - "required": false, - "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "required": false, + "default": false } }, { "session_hash_storage_key": { - "required": false, - "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "required": false, + "default": false } }, { "session_memcached_prefix": { - "required": false, + "description": "The memcached session key prefix.", "type": "string", - "description": "The memcached session key prefix." + "required": false } }, { "session_memcached_socket": { - "required": false, + "description": "The memcached unix socket path.", "type": "string", - "description": "The memcached unix socket path." + "required": false } }, { "session_memcached_host": { - "required": false, - "default": "127.0.0.1", + "description": "The memcached host.", "type": "string", - "description": "The memcached host." + "required": false, + "default": "127.0.0.1" } }, { "session_memcached_port": { + "description": "The memcached port.", "required": false, - "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "description": "The memcached port." + "type": "integer", + "default": 11211 } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { @@ -1647,307 +1549,438 @@ }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "default": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { "server_name": { - "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "description": "Maximum retry attempts for redirection.", - "type": "integer" + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "default": false } }, { "prefix": { - "required": false, + "description": "The Redis session key prefix.", "type": "string", - "description": "The Redis session key prefix." + "required": false } }, { "socket": { - "required": false, + "description": "The Redis unix socket path.", "type": "string", - "description": "The Redis unix socket path." + "required": false } } ], - "shorthand_fields": [ + "entity_checks": [ { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } }, { "reverify": { - "required": false, - "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", "type": "boolean", - "description": "Specifies whether to always verify tokens stored in the session." + "required": false, + "default": false } }, { "jwt_session_claim": { - "required": false, - "default": "sid", + "description": "The claim to match against the JWT session cookie.", "type": "string", - "description": "The claim to match against the JWT session cookie." + "required": false, + "default": "sid" } }, { "jwt_session_cookie": { - "required": false, + "description": "The name of the JWT session cookie.", "type": "string", - "description": "The name of the JWT session cookie." + "required": false } }, { "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "required": false, "elements": { "type": "string", @@ -1963,19 +1996,19 @@ "header", "query", "body" - ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + ] } }, { "bearer_token_cookie_name": { - "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string", - "description": "The name of the cookie in which the bearer token is passed." + "required": false } }, { "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "required": false, "elements": { "type": "string", @@ -1990,12 +2023,12 @@ "header", "query", "body" - ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + ] } }, { "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2010,12 +2043,12 @@ "header", "query", "body" - ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2030,19 +2063,19 @@ "header", "query", "body" - ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string", - "description": "The name of the parameter used to pass the id token." + "required": false } }, { "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2057,208 +2090,208 @@ "header", "query", "body" - ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "refresh_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string", - "description": "The name of the parameter used to pass the refresh token." + "required": false } }, { "refresh_tokens": { - "required": false, - "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "type": "boolean", - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "required": false, + "default": true } }, { "upstream_headers_claims": { - "required": false, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "upstream_headers_names": { - "required": false, + "description": "The upstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "required": false, - "default": "authorization:bearer", + "description": "The upstream access token header.", "type": "string", - "description": "The upstream access token header." + "required": false, + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "required": false, + "description": "The upstream access token JWK header.", "type": "string", - "description": "The upstream access token JWK header." + "required": false } }, { "upstream_id_token_header": { - "required": false, + "description": "The upstream id token header.", "type": "string", - "description": "The upstream id token header." + "required": false } }, { "upstream_id_token_jwk_header": { - "required": false, + "description": "The upstream id token JWK header.", "type": "string", - "description": "The upstream id token JWK header." + "required": false } }, { "upstream_refresh_token_header": { - "required": false, + "description": "The upstream refresh token header.", "type": "string", - "description": "The upstream refresh token header." + "required": false } }, { "upstream_user_info_header": { - "required": false, + "description": "The upstream user info header.", "type": "string", - "description": "The upstream user info header." + "required": false } }, { "upstream_user_info_jwt_header": { - "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "upstream_introspection_header": { - "required": false, + "description": "The upstream introspection header.", "type": "string", - "description": "The upstream introspection header." + "required": false } }, { "upstream_introspection_jwt_header": { - "required": false, + "description": "The upstream introspection JWT header.", "type": "string", - "description": "The upstream introspection JWT header." + "required": false } }, { "upstream_session_id_header": { - "required": false, + "description": "The upstream session id header.", "type": "string", - "description": "The upstream session id header." + "required": false } }, { "downstream_headers_claims": { - "required": false, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "downstream_headers_names": { - "required": false, + "description": "The downstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { "downstream_access_token_header": { - "required": false, + "description": "The downstream access token header.", "type": "string", - "description": "The downstream access token header." + "required": false } }, { "downstream_access_token_jwk_header": { - "required": false, + "description": "The downstream access token JWK header.", "type": "string", - "description": "The downstream access token JWK header." + "required": false } }, { "downstream_id_token_header": { - "required": false, + "description": "The downstream id token header.", "type": "string", - "description": "The downstream id token header." + "required": false } }, { "downstream_id_token_jwk_header": { - "required": false, + "description": "The downstream id token JWK header.", "type": "string", - "description": "The downstream id token JWK header." + "required": false } }, { "downstream_refresh_token_header": { - "required": false, + "description": "The downstream refresh token header.", "type": "string", - "description": "The downstream refresh token header." + "required": false } }, { "downstream_user_info_header": { - "required": false, + "description": "The downstream user info header.", "type": "string", - "description": "The downstream user info header." + "required": false } }, { "downstream_user_info_jwt_header": { - "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "downstream_introspection_header": { - "required": false, + "description": "The downstream introspection header.", "type": "string", - "description": "The downstream introspection header." + "required": false } }, { "downstream_introspection_jwt_header": { - "required": false, + "description": "The downstream introspection JWT header.", "type": "string", - "description": "The downstream introspection JWT header." + "required": false } }, { "downstream_session_id_header": { - "required": false, + "description": "The downstream session id header.", "type": "string", - "description": "The downstream session id header." + "required": false } }, { "login_methods": { + "description": "Enable login functionality with specified grants.", "required": false, "elements": { "type": "string", @@ -2277,25 +2310,25 @@ "type": "array", "default": [ "authorization_code" - ], - "description": "Enable login functionality with specified grants." + ] } }, { "login_action": { + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, - "type": "string", - "default": "upstream", "one_of": [ "upstream", "response", "redirect" ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + "type": "string", + "default": "upstream" } }, { "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "required": false, "elements": { "type": "string", @@ -2310,45 +2343,45 @@ "type": "array", "default": [ "id_token" - ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + ] } }, { "login_redirect_mode": { + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, - "type": "string", - "default": "fragment", "one_of": [ "query", "fragment" ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + "type": "string", + "default": "fragment" } }, { "logout_query_arg": { - "required": false, + "description": "The request query argument that activates the logout.", "type": "string", - "description": "The request query argument that activates the logout." + "required": false } }, { "logout_post_arg": { - "required": false, + "description": "The request body argument that activates the logout.", "type": "string", - "description": "The request body argument that activates the logout." + "required": false } }, { "logout_uri_suffix": { - "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string", - "description": "The request URI suffix that activates the logout." + "required": false } }, { "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "required": false, "elements": { "type": "string", @@ -2362,46 +2395,46 @@ "default": [ "POST", "DELETE" - ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + ] } }, { "logout_revoke": { - "required": false, - "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", "type": "boolean", - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "required": false, + "default": false } }, { "logout_revoke_access_token": { - "required": false, - "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "logout_revoke_refresh_token": { - "required": false, - "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "consumer_claim": { - "required": false, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "required": false, "elements": { "type": "string", @@ -2415,20 +2448,20 @@ "default": [ "username", "custom_id" - ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + ] } }, { "consumer_optional": { - "required": false, - "default": false, + "description": "Do not terminate the request if consumer mapping fails.", "type": "boolean", - "description": "Do not terminate the request if consumer mapping fails." + "required": false, + "default": false } }, { "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -2436,67 +2469,67 @@ "type": "array", "default": [ "sub" - ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "anonymous": { - "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "required": false } }, { "run_on_preflight": { - "required": false, - "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "type": "boolean", - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "required": false, + "default": true } }, { "leeway": { - "required": false, - "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "type": "number", - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" + "required": false, + "default": 0 } }, { "verify_parameters": { - "required": false, - "default": false, + "description": "Verify plugin configuration against discovery.", "type": "boolean", - "description": "Verify plugin configuration against discovery." + "required": false, + "default": false } }, { "verify_nonce": { - "required": false, - "default": true, + "description": "Verify nonce on authorization code flow.", "type": "boolean", - "description": "Verify nonce on authorization code flow." + "required": false, + "default": true } }, { "verify_claims": { - "required": false, - "default": true, + "description": "Verify tokens for standard claims.", "type": "boolean", - "description": "Verify tokens for standard claims." + "required": false, + "default": true } }, { "verify_signature": { - "required": false, - "default": true, + "description": "Verify signature of tokens.", "type": "boolean", - "description": "Verify signature of tokens." + "required": false, + "default": true } }, { "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "required": false, "elements": { "type": "string", @@ -2513,22 +2546,22 @@ "type": "array", "default": [ - ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + ] } }, { "enable_hs_signatures": { - "required": false, - "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "type": "boolean", - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "required": false, + "default": false } }, { "disable_session": { - "required": false, + "description": "Disable issuing the session cookie with the specified grants.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2542,540 +2575,440 @@ "refresh_token", "session" ] - }, - "description": "Disable issuing the session cookie with the specified grants." + } } }, { "cache_ttl": { - "required": false, - "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "type": "number", - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "required": false, + "default": 3600 } }, { "cache_ttl_max": { - "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number", - "description": "The maximum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_min": { - "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number", - "description": "The minimum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_neg": { - "required": false, + "description": "The negative cache ttl in seconds.", "type": "number", - "description": "The negative cache ttl in seconds." + "required": false } }, { "cache_ttl_resurrect": { - "required": false, + "description": "The resurrection ttl in seconds.", "type": "number", - "description": "The resurrection ttl in seconds." + "required": false } }, { "cache_tokens": { - "required": false, - "default": true, + "description": "Cache the token endpoint requests.", "type": "boolean", - "description": "Cache the token endpoint requests." + "required": false, + "default": true } }, { "cache_tokens_salt": { - "required": false, - "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "type": "string", + "required": false } }, { "cache_introspection": { - "required": false, - "default": true, + "description": "Cache the introspection endpoint requests.", "type": "boolean", - "description": "Cache the introspection endpoint requests." + "required": false, + "default": true } }, { "cache_token_exchange": { - "required": false, - "default": true, + "description": "Cache the token exchange endpoint requests.", "type": "boolean", - "description": "Cache the token exchange endpoint requests." + "required": false, + "default": true } }, { "cache_user_info": { - "required": false, - "default": true, + "description": "Cache the user info requests.", "type": "boolean", - "description": "Cache the user info requests." + "required": false, + "default": true } }, { "search_user_info": { - "required": false, - "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "type": "boolean", - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "required": false, + "default": false } }, { "hide_credentials": { - "required": false, - "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "type": "boolean", - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "required": false, + "default": false } }, { "http_version": { - "required": false, - "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "type": "number" + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { - "required": false, "description": "The HTTP proxy.", + "required": false, "type": "string" } }, { "http_proxy_authorization": { - "required": false, + "description": "The HTTP proxy authorization.", "type": "string", - "description": "The HTTP proxy authorization." + "required": false } }, { "https_proxy": { - "required": false, "description": "The HTTPS proxy.", + "required": false, "type": "string" } }, { "https_proxy_authorization": { - "required": false, + "description": "The HTTPS proxy authorization.", "type": "string", - "description": "The HTTPS proxy authorization." + "required": false } }, { "no_proxy": { - "required": false, + "description": "Do not use proxy with these hosts.", "type": "string", - "description": "Do not use proxy with these hosts." + "required": false } }, { "keepalive": { - "required": false, - "default": true, + "description": "Use keepalive with the HTTP client.", "type": "boolean", - "description": "Use keepalive with the HTTP client." + "required": false, + "default": true } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "type": "boolean", - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." + "required": false, + "default": false } }, { "timeout": { - "required": false, - "default": 10000, + "description": "Network IO timeout in milliseconds.", "type": "number", - "description": "Network IO timeout in milliseconds." + "required": false, + "default": 10000 } }, { "display_errors": { - "required": false, - "default": false, + "description": "Display errors on failure responses.", "type": "boolean", - "description": "Display errors on failure responses." + "required": false, + "default": false } }, { "by_username_ignore_case": { - "required": false, - "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "type": "boolean", - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "required": false, + "default": false } }, { "resolve_distributed_claims": { - "required": false, - "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "type": "boolean", - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "required": false, + "default": false } }, { "expose_error_code": { - "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "default": true } }, { "token_cache_key_include_scope": { - "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "default": false } }, { "introspection_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for introspection.", "type": "string", - "description": "Designate token's parameter name for introspection." + "required": false, + "default": "token" } }, { "revocation_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for revocation.", "type": "string", - "description": "Designate token's parameter name for revocation." + "required": false, + "default": "token" } }, { "proof_of_possession_mtls": { + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + "type": "string", + "default": "off" } }, { "proof_of_possession_auth_methods_validation": { - "required": false, - "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "type": "boolean", - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "required": false, + "default": true } }, { "tls_client_auth_cert_id": { - "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "auto": false, "type": "string", "uuid": true, - "auto": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server." + "required": false } }, { "tls_client_auth_ssl_verify": { - "required": false, - "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", "type": "boolean", - "description": "Verify identity provider server certificate during mTLS client authentication." + "required": false, + "default": true } }, { "mtls_token_endpoint": { - "required": false, "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_introspection_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_revocation_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof." + "type": "string", + "default": "off" } }, { "dpop_use_nonce": { - "required": false, - "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", "type": "boolean", - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." + "required": false, + "default": false } }, { "dpop_proof_lifetime": { - "required": false, - "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", "type": "number", - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + "required": false, + "default": 300 } }, { "claims_forbidden": { - "required": false, + "description": "If given, these claims are forbidden in the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "If given, these claims are forbidden in the token payload." + } } }, { "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "redis" ], - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared." + "type": "string", + "default": "off" } }, { "cluster_cache_redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -3086,186 +3019,315 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } } - ], - "description": "openid-connect plugin configuration.", - "type": "record" + ] } } ], "type": "record" - }, - "description": "List of openid_connect strategies." + } } } ], "default": [ - ], - "description": "The map of v2 strategies." + ] } } ], - "required": true, + "type": "record", "entity_checks": [ ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/ldap-auth-advanced/3.8.x.json b/schemas/ldap-auth-advanced/3.8.x.json index 542f5c1..34b7b64 100644 --- a/schemas/ldap-auth-advanced/3.8.x.json +++ b/schemas/ldap-auth-advanced/3.8.x.json @@ -1,17 +1,7 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -20,6 +10,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -30,23 +22,22 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -55,125 +46,126 @@ "fields": [ { "ldap_host": { - "required": true, "description": "Host on which the LDAP server is running.", - "type": "string" + "type": "string", + "required": true } }, { "ldap_password": { "description": "The password to the LDAP server.", - "referenceable": true, + "type": "string", "encrypted": true, - "type": "string" + "referenceable": true } }, { "ldap_port": { - "default": 389, "description": "TCP port where the LDAP server is listening. 389 is the default port for non-SSL LDAP and AD. 636 is the port required for SSL LDAP and AD. If `ldaps` is configured, you must use port 636.", - "type": "number" + "type": "number", + "default": 389 } }, { "bind_dn": { - "referenceable": true, "description": "The DN to bind to. Used to perform LDAP search of user. This `bind_dn` should have permissions to search for the user being authenticated.", - "type": "string" + "type": "string", + "referenceable": true } }, { "ldaps": { - "required": true, - "default": false, "description": "Set it to `true` to use `ldaps`, a secure protocol (that can be configured to TLS) to connect to the LDAP server. When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "start_tls": { - "required": true, - "default": false, "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "verify_ldap_host": { - "required": true, - "default": false, "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": false } }, { "base_dn": { - "required": true, "description": "Base DN as the starting point for the search; e.g., 'dc=example,dc=com'.", - "type": "string" + "type": "string", + "required": true } }, { "attribute": { - "required": true, "description": "Attribute to be used to search the user; e.g., \"cn\".", - "type": "string" + "type": "string", + "required": true } }, { "cache_ttl": { - "required": true, - "default": 60, "description": "Cache expiry time in seconds.", - "type": "number" + "type": "number", + "required": true, + "default": 60 } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "anonymous": { "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request will fail with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", - "default": "", "type": "string", - "len_min": 0 + "len_min": 0, + "default": "" } }, { "header_type": { - "default": "ldap", "description": "An optional string to use as part of the Authorization header. By default, a valid Authorization header looks like this: `Authorization: ldap base64(username:password)`. If `header_type` is set to \"basic\", then the Authorization header would be `Authorization: basic base64(username:password)`. Note that `header_type` can take any string, not just `'ldap'` and `'basic'`.", - "type": "string" + "type": "string", + "default": "ldap" } }, { "consumer_optional": { - "required": false, - "default": false, "description": "Whether consumer mapping is optional. If `consumer_optional=true`, the plugin will not attempt to associate a consumer with the LDAP authenticated user.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "consumer_by": { + "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both.", "required": false, "elements": { "type": "string", @@ -186,57 +178,65 @@ "default": [ "username", "custom_id" - ], - "description": "Whether to authenticate consumers based on `username`, `custom_id`, or both." + ] } }, { "group_base_dn": { - "type": "string", - "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'." + "description": "Sets a distinguished name (DN) for the entry where LDAP searches for groups begin. This field is case-insensitive.',dc=com'.", + "type": "string" } }, { "group_name_attribute": { - "type": "string", - "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive." + "description": "Sets the attribute holding the name of a group, typically called `name` (in Active Directory) or `cn` (in OpenLDAP). This field is case-insensitive.", + "type": "string" } }, { "group_member_attribute": { - "default": "memberOf", "description": "Sets the attribute holding the members of the LDAP group. This field is case-sensitive.", - "type": "string" + "type": "string", + "default": "memberOf" } }, { "log_search_results": { - "required": false, - "default": false, "description": "Displays all the LDAP search results received from the LDAP server for debugging purposes. Not recommended to be enabled in a production environment.", - "type": "boolean" + "type": "boolean", + "required": false, + "default": false } }, { "groups_required": { - "required": false, "description": "The groups required to be present in the LDAP search result for successful authorization. This config parameter works in both **AND** / **OR** cases. - When `[\"group1 group2\"]` are in the same array indices, both `group1` AND `group2` need to be present in the LDAP search result. - When `[\"group1\", \"group2\"]` are in different array indices, either `group1` OR `group2` need to be present in the LDAP search result.", + "type": "array", + "required": false, "elements": { "type": "string" - }, - "type": "array" + } } }, { "realm": { - "required": false, "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", - "type": "string" + "type": "string", + "required": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/ldap-auth/3.8.x.json b/schemas/ldap-auth/3.8.x.json index 97c0927..109c2af 100644 --- a/schemas/ldap-auth/3.8.x.json +++ b/schemas/ldap-auth/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,15 +30,14 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -49,130 +46,133 @@ "fields": [ { "ldap_host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "ldap_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", "between": [ 0, 65535 ], - "default": 389, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer", + "default": 389 } }, { "ldaps": { + "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled.", "required": true, - "default": false, "type": "boolean", - "description": "Set to `true` to connect using the LDAPS protocol (LDAP over TLS). When `ldaps` is configured, you must use port 636. If the `ldap` setting is enabled, ensure the `start_tls` setting is disabled." + "default": false } }, { "start_tls": { + "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled.", "required": true, - "default": false, "type": "boolean", - "description": "Set it to `true` to issue StartTLS (Transport Layer Security) extended operation over `ldap` connection. If the `start_tls` setting is enabled, ensure the `ldaps` setting is disabled." + "default": false } }, { "verify_ldap_host": { + "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive.", "required": true, - "default": false, "type": "boolean", - "description": "Set to `true` to authenticate LDAP server. The server certificate will be verified according to the CA certificates specified by the `lua_ssl_trusted_certificate` directive." + "default": false } }, { "base_dn": { + "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com", "required": true, - "type": "string", - "description": "Base DN as the starting point for the search; e.g., dc=example,dc=com" + "type": "string" } }, { "attribute": { + "description": "Attribute to be used to search the user; e.g. cn", "required": true, - "type": "string", - "description": "Attribute to be used to search the user; e.g. cn" + "type": "string" } }, { "cache_ttl": { + "description": "Cache expiry time in seconds.", "required": true, - "default": 60, "type": "number", - "description": "Cache expiry time in seconds." + "default": 60 } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream server. It will be removed by Kong before proxying the request." + "default": false } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when waiting for connection with LDAP server.", "type": "number", - "description": "An optional timeout in milliseconds when waiting for connection with LDAP server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed.", "type": "number", - "description": "An optional value in milliseconds that defines how long an idle connection to LDAP server will live before being closed." + "default": 60000 } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`.", + "type": "string" } }, { "header_type": { - "default": "ldap", + "description": "An optional string to use as part of the Authorization header", "type": "string", - "description": "An optional string to use as part of the Authorization header" + "default": "ldap" } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "then_match": { - "eq": false - }, "then_field": "start_tls", + "if_field": "ldaps", + "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously", "if_match": { "eq": true }, - "if_field": "ldaps", - "then_err": "'ldaps' and 'start_tls' cannot be enabled simultaneously" + "then_match": { + "eq": false + } } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/loggly/3.8.x.json b/schemas/loggly/3.8.x.json index 38d9144..a9bae72 100644 --- a/schemas/loggly/3.8.x.json +++ b/schemas/loggly/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,43 +42,45 @@ "fields": [ { "host": { - "default": "logs-01.loggly.com", "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "logs-01.loggly.com" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 514, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 514 } }, { "key": { - "required": true, "referenceable": true, - "encrypted": true, - "type": "string" + "required": true, + "type": "string", + "encrypted": true } }, { "tags": { + "type": "set", "default": [ "kong" ], "elements": { "type": "string" - }, - "type": "set" + } } }, { "log_level": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -91,13 +90,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "successful_severity": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -107,13 +106,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "client_errors_severity": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -123,13 +122,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "server_errors_severity": { + "type": "string", + "default": "info", "one_of": [ "debug", "info", @@ -139,15 +138,13 @@ "crit", "alert", "emerg" - ], - "default": "info", - "type": "string" + ] } }, { "timeout": { - "type": "number", - "default": 10000 + "default": 10000, + "type": "number" } }, { @@ -156,18 +153,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/mocking/3.8.x.json b/schemas/mocking/3.8.x.json index ae499b4..1901c74 100644 --- a/schemas/mocking/3.8.x.json +++ b/schemas/mocking/3.8.x.json @@ -1,15 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.api_specification_filename", - "config.api_specification" - ] - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -26,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -43,89 +35,97 @@ "fields": [ { "api_specification_filename": { - "required": false, "description": "The path and name of the specification file loaded into Kong Gateway's database. You cannot use this option for DB-less or hybrid mode.", + "required": false, "type": "string" } }, { "api_specification": { + "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field.", "required": false, - "type": "string", - "description": "The contents of the specification file. You must use this option for hybrid or DB-less mode. You can include the full specification as part of the configuration. In Kong Manager, you can copy and paste the contents of the spec directly into the `Config.Api Specification` text field." + "type": "string" } }, { "random_delay": { - "default": false, "description": "Enables a random delay in the mocked response. Introduces delays to simulate real-time response times by APIs.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "max_delay_time": { - "default": 1, "description": "The maximum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be greater than the `min_delay_time`.", - "type": "number" + "type": "number", + "default": 1 } }, { "min_delay_time": { - "default": 0.001, "description": "The minimum value in seconds of delay time. Set this value when `random_delay` is enabled and you want to adjust the default. The value must be less than the `max_delay_time`.", - "type": "number" + "type": "number", + "default": 0.001 } }, { "random_examples": { - "default": false, "description": "Randomly selects one example and returns it. This parameter requires the spec to have multiple examples configured.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "included_status_codes": { + "description": "A global list of the HTTP status codes that can only be selected and returned.", "type": "array", "elements": { "type": "integer" - }, - "description": "A global list of the HTTP status codes that can only be selected and returned." + } } }, { "random_status_code": { - "required": true, - "default": false, "description": "Determines whether to randomly select an HTTP status code from the responses of the corresponding API method. The default value is `false`, which means the minimum HTTP status code is always selected and returned.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "include_base_path": { - "required": true, - "default": false, "description": "Indicates whether to include the base path when performing path match evaluation.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "type": "string", - "starts_with": "/", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.api_specification_filename", + "config.api_specification" + ] + } ] } \ No newline at end of file diff --git a/schemas/mtls-auth/3.8.x.json b/schemas/mtls-auth/3.8.x.json index 0785c21..8def91e 100644 --- a/schemas/mtls-auth/3.8.x.json +++ b/schemas/mtls-auth/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,12 +43,13 @@ "fields": [ { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "consumer_by": { + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled.", "required": false, "elements": { "type": "string", @@ -64,131 +62,130 @@ "default": [ "username", "custom_id" - ], - "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + ] } }, { "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", "required": true, "type": "array", "elements": { "type": "string", "uuid": true - }, - "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`)." + } } }, { "cache_ttl": { + "description": "Cache expiry time in seconds.", "required": true, - "default": 60, "type": "number", - "description": "Cache expiry time in seconds." + "default": 60 } }, { "skip_consumer_lookup": { + "description": "Skip consumer lookup once certificate is trusted against the configured CA list.", "required": true, - "default": false, "type": "boolean", - "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + "default": false } }, { "allow_partial_chain": { + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates.", "required": true, - "default": false, "type": "boolean", - "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + "default": false } }, { "authenticated_group_by": { + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users.", "required": false, - "type": "string", - "default": "CN", "one_of": [ "CN", "DN" ], - "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + "type": "string", + "default": "CN" } }, { "revocation_check_mode": { + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status.", "required": false, - "type": "string", - "default": "IGNORE_CA_ERROR", "one_of": [ "SKIP", "IGNORE_CA_ERROR", "STRICT" ], - "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + "type": "string", + "default": "IGNORE_CA_ERROR" } }, { "http_timeout": { - "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL.", "type": "number", - "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + "default": 30000 } }, { "cert_cache_ttl": { - "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache.", "type": "number", - "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + "default": 60000 } }, { "send_ca_dn": { - "default": false, + "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message.", "type": "boolean", - "description": "Sends the distinguished names (DN) of the configured CA list in the TLS handshake message." + "default": false } }, { "default_consumer": { - "type": "string", - "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "http_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "http_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "https_proxy_host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "https_proxy_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -203,8 +200,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oas-validation/3.8.x.json b/schemas/oas-validation/3.8.x.json index 35f99dd..307e1a6 100644 --- a/schemas/oas-validation/3.8.x.json +++ b/schemas/oas-validation/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,133 +35,136 @@ "fields": [ { "api_spec": { + "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format.", "required": true, - "type": "string", - "description": "The API specification defined using either Swagger or the OpenAPI. This can be either a JSON or YAML based file. If using a YAML file, the spec needs to be URI-Encoded to preserve the YAML format." + "type": "string" } }, { "verbose_response": { - "required": false, - "default": false, + "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing.", "type": "boolean", - "description": "If set to true, returns a detailed error message for invalid requests & responses. This is useful while testing." + "required": false, + "default": false } }, { "validate_request_body": { - "required": false, - "default": true, + "description": "If set to true, validates the request body content against the API specification.", "type": "boolean", - "description": "If set to true, validates the request body content against the API specification." + "required": false, + "default": true } }, { "notify_only_request_validation_failure": { - "required": false, - "default": false, + "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow.", "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but request based validation failures don't affect the request flow." + "required": false, + "default": false } }, { "validate_request_header_params": { - "required": false, - "default": true, + "description": "If set to true, validates HTTP header parameters against the API specification.", "type": "boolean", - "description": "If set to true, validates HTTP header parameters against the API specification." + "required": false, + "default": true } }, { "validate_request_query_params": { - "required": false, - "default": true, + "description": "If set to true, validates query parameters against the API specification.", "type": "boolean", - "description": "If set to true, validates query parameters against the API specification." + "required": false, + "default": true } }, { "validate_request_uri_params": { - "required": false, - "default": true, + "description": "If set to true, validates URI parameters in the request against the API specification.", "type": "boolean", - "description": "If set to true, validates URI parameters in the request against the API specification." + "required": false, + "default": true } }, { "validate_response_body": { - "required": false, - "default": false, + "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code.", "type": "boolean", - "description": "If set to true, validates the response from the upstream services against the API specification. If validation fails, it results in an `HTTP 406 Not Acceptable` status code." + "required": false, + "default": false } }, { "notify_only_response_body_validation_failure": { - "required": false, - "default": false, + "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow.", "type": "boolean", - "description": "If set to true, notifications via event hooks are enabled, but response validation failures don't affect the response flow." + "required": false, + "default": false } }, { "query_parameter_check": { - "required": true, - "default": false, + "description": "If set to true, checks if query parameters in the request exist in the API specification.", "type": "boolean", - "description": "If set to true, checks if query parameters in the request exist in the API specification." + "required": true, + "default": false } }, { "header_parameter_check": { - "required": true, - "default": false, + "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification.", "type": "boolean", - "description": "If set to true, checks if HTTP header parameters in the request exist in the API specification." + "required": true, + "default": false } }, { "allowed_header_parameters": { - "required": false, - "default": "Host,Content-Type,User-Agent,Accept,Content-Length", + "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent.", "type": "string", - "description": "List of header parameters in the request that will be ignored when performing HTTP header validation. These are additional headers added to an API request beyond those defined in the API specification. For example, you might include the HTTP header `User-Agent`, which lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent." + "required": false, + "default": "Host,Content-Type,User-Agent,Accept,Content-Length" } }, { "include_base_path": { - "required": true, - "default": false, + "description": "Indicates whether to include the base path when performing path match evaluation.", "type": "boolean", - "description": "Indicates whether to include the base path when performing path match evaluation." + "required": true, + "default": false } }, { "api_spec_encoded": { - "required": true, - "default": true, + "description": "Indicates whether the api_spec is URI-Encoded.", "type": "boolean", - "description": "Indicates whether the api_spec is URI-Encoded." + "required": true, + "default": true } }, { "custom_base_path": { + "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`.", "required": false, + "starts_with": "/", + "type": "string", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } - ], - "type": "string", - "starts_with": "/", - "description": "The base path to be used for path match evaluation. This value is ignored if `include_base_path` is set to `false`." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2-introspection/3.8.x.json b/schemas/oauth2-introspection/3.8.x.json index 89a4a76..95956e5 100644 --- a/schemas/oauth2-introspection/3.8.x.json +++ b/schemas/oauth2-introspection/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,107 +43,108 @@ "fields": [ { "introspection_url": { - "required": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, "type": "string" } }, { "ttl": { - "default": 30, + "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration.", "type": "number", - "description": "The TTL in seconds for the introspection response. Set to 0 to disable the expiration." + "default": 30 } }, { "token_type_hint": { - "type": "string", - "description": "The `token_type_hint` value to associate to introspection requests." + "description": "The `token_type_hint` value to associate to introspection requests.", + "type": "string" } }, { "authorization_value": { + "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`).", "required": true, - "referenceable": true, "type": "string", - "encrypted": true, - "description": "The value to set as the `Authorization` header when querying the introspection endpoint. This depends on the OAuth 2.0 server, but usually is the `client_id` and `client_secret` as a Base64-encoded Basic Auth string (`Basic MG9hNWl...`)." + "referenceable": true, + "encrypted": true } }, { "timeout": { - "default": 10000, + "description": "An optional timeout in milliseconds when sending data to the upstream server.", "type": "integer", - "description": "An optional timeout in milliseconds when sending data to the upstream server." + "default": 10000 } }, { "keepalive": { - "default": 60000, + "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", "type": "integer", - "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed." + "default": 60000 } }, { "introspect_request": { + "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request.", "required": true, - "default": false, "type": "boolean", - "description": "A boolean indicating whether to forward information about the current downstream request to the introspect endpoint. If true, headers `X-Request-Path` and `X-Request-Http-Method` will be inserted into the introspect request." + "default": false } }, { "hide_credentials": { - "default": false, + "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request.", "type": "boolean", - "description": "An optional boolean value telling the plugin to hide the credential to the upstream API server. It will be removed by Kong before proxying the request." + "default": false } }, { "run_on_preflight": { - "default": true, + "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", "type": "boolean", - "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed." + "default": true } }, { "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "len_min": 0, - "default": "", "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "default": "" } }, { "consumer_by": { + "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`.", "required": true, - "type": "string", - "default": "username", "one_of": [ "username", "client_id" ], - "description": "A string indicating whether to associate OAuth2 `username` or `client_id` with the consumer's username. OAuth2 `username` is mapped to a consumer's `username` field, while an OAuth2 `client_id` maps to a consumer's `custom_id`." + "type": "string", + "default": "username" } }, { "custom_introspection_headers": { + "description": "A list of custom headers to be added in the introspection request.", "required": true, - "type": "map", + "values": { + "type": "string" + }, "keys": { "type": "string" }, + "type": "map", "default": [ - ], - "values": { - "type": "string" - }, - "description": "A list of custom headers to be added in the introspection request." + ] } }, { "custom_claims_forward": { + "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`.", "required": true, "elements": { "type": "string" @@ -154,14 +152,16 @@ "type": "set", "default": [ - ], - "description": "A list of custom claims to be forwarded from the introspection response to the upstream request. Claims are forwarded in headers with prefix `X-Credential-{claim-name}`." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/oauth2/3.8.x.json b/schemas/oauth2/3.8.x.json index cbacf7c..4ae4279 100644 --- a/schemas/oauth2/3.8.x.json +++ b/schemas/oauth2/3.8.x.json @@ -1,19 +1,15 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "grpc", "grpcs", @@ -22,6 +18,8 @@ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -32,190 +30,192 @@ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, "fields": [ { "scopes": { "description": "Describes an array of scope names that will be available to the end user. If `mandatory_scope` is set to `true`, then `scopes` are required.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "mandatory_scope": { + "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to require at least one `scope` to be authorized by the end user." + "default": false } }, { "provision_key": { - "required": true, - "auto": true, "description": "The unique key the plugin has generated when it has been added to the Service.", + "required": true, + "unique": true, "type": "string", - "encrypted": true, - "unique": true + "auto": true, + "encrypted": true } }, { "token_expiration": { + "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration.", "required": true, - "default": 7200, "type": "number", - "description": "An optional integer value telling the plugin how many seconds a token should last, after which the client will need to refresh the token. Set to `0` to disable the expiration." + "default": 7200 } }, { "enable_authorization_code": { + "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the three-legged Authorization Code flow (RFC 6742 Section 4.1)." + "default": false } }, { "enable_implicit_grant": { + "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Implicit Grant flow which allows to provision a token as a result of the authorization process (RFC 6742 Section 4.2)." + "default": false } }, { "enable_client_credentials": { + "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Client Credentials Grant flow (RFC 6742 Section 4.4)." + "default": false } }, { "enable_password_grant": { + "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3).", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value to enable the Resource Owner Password Credentials Grant flow (RFC 6742 Section 4.3)." + "default": false } }, { "hide_credentials": { + "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service." + "default": false } }, { "accept_http_if_already_terminated": { + "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer.", "required": true, - "default": false, "type": "boolean", - "description": "Accepts HTTPs requests that have already been terminated by a proxy or load balancer." + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails.", + "type": "string" } }, { "global_credentials": { + "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value that allows using the same OAuth credentials generated by the plugin with any other service whose OAuth 2.0 plugin configuration also has `config.global_credentials=true`." + "default": false } }, { "auth_header_name": { - "default": "authorization", + "description": "The name of the header that is supposed to carry the access token.", "type": "string", - "description": "The name of the header that is supposed to carry the access token." + "default": "authorization" } }, { "refresh_token_ttl": { + "description": "Time-to-live value for data", "required": true, - "type": "number", "between": [ 0, 100000000 ], - "default": 1209600, - "description": "Time-to-live value for data" + "type": "number", + "default": 1209600 } }, { "reuse_refresh_token": { + "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token.", "required": true, - "default": false, "type": "boolean", - "description": "An optional boolean value that indicates whether an OAuth refresh token is reused when refreshing an access token." + "default": false } }, { "persistent_refresh_token": { + "type": "boolean", "required": true, - "default": false, - "type": "boolean" + "default": false } }, { "pkce": { + "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin.", "required": false, - "type": "string", - "default": "lax", "one_of": [ "none", "lax", "strict" ], - "description": "Specifies a mode of how the Proof Key for Code Exchange (PKCE) should be handled by the plugin." + "type": "string", + "default": "lax" } }, { "realm": { + "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value.", "required": false, - "type": "string", - "description": "When authentication fails the plugin sends `WWW-Authenticate` header with `realm` attribute value." + "type": "string" } } ], "entity_checks": [ { "conditional": { - "then_field": "scopes", + "if_field": "mandatory_scope", "if_match": { "eq": true }, + "then_field": "scopes", "then_match": { "required": true - }, - "if_field": "mandatory_scope" + } } } ], + "required": true, "type": "record" } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/opa/3.8.x.json b/schemas/opa/3.8.x.json index 448b6cb..e23d206 100644 --- a/schemas/opa/3.8.x.json +++ b/schemas/opa/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,15 +27,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -47,67 +44,67 @@ { "opa_protocol": { "description": "The protocol to use when talking to Open Policy Agent (OPA) server. Allowed protocols are `http` and `https`.", + "type": "string", "default": "http", "one_of": [ "http", "https" - ], - "type": "string" + ] } }, { "opa_host": { - "required": true, - "default": "localhost", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "localhost" } }, { "opa_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": true, - "type": "integer", "between": [ 0, 65535 ], - "default": 8181, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer", + "default": 8181 } }, { "opa_path": { - "required": true, "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", + "required": true, "starts_with": "/", + "type": "string", "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "include_service_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Service object in use for the current request is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_route_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Route object in use for the current request is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_consumer_in_opa_input": { - "default": false, "description": "If set to true, the Kong Gateway Consumer object in use for the current request (if any) is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { @@ -118,30 +115,33 @@ }, { "include_parsed_json_body_in_opa_input": { - "default": false, "description": "If set to true and the `Content-Type` header of the current request is `application/json`, the request body will be JSON decoded and the decoded struct is included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "include_uri_captures_in_opa_input": { - "default": false, "description": "If set to true, the regex capture groups captured on the Kong Gateway Route's path field in the current request (if any) are included as input to OPA.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": true, - "default": true, "description": "If set to true, the OPA certificate will be verified according to the CA certificates specified in lua_ssl_trusted_certificate.", - "type": "boolean" + "type": "boolean", + "required": true, + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/openid-connect/3.8.x.json b/schemas/openid-connect/3.8.x.json index 480ff11..de68751 100644 --- a/schemas/openid-connect/3.8.x.json +++ b/schemas/openid-connect/3.8.x.json @@ -1,24 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,1010 +27,939 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "shorthand_fields": [ - { - "authorization_cookie_lifetime": { - "deprecation": { - "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" - } - }, - { - "authorization_cookie_samesite": { - "deprecation": { - "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, - { - "authorization_cookie_httponly": { - "deprecation": { - "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", - "removal_in_version": "4.0" - }, - "type": "boolean" - } - }, - { - "session_cookie_lifetime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" - } - }, - { - "session_cookie_idletime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" - } - }, - { - "session_cookie_samesite": { - "deprecation": { - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, - { - "session_cookie_httponly": { - "deprecation": { - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", - "removal_in_version": "4.0" - }, - "type": "boolean" - } - }, - { - "session_memcache_prefix": { - "deprecation": { - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, - { - "session_memcache_socket": { - "deprecation": { - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", - "removal_in_version": "4.0" - }, - "type": "string" - } - }, + "fields": [ { - "session_memcache_host": { - "deprecation": { - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", - "removal_in_version": "4.0" - }, + "issuer": { + "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", + "required": true, "type": "string" } }, { - "session_memcache_port": { - "deprecation": { - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", - "removal_in_version": "4.0" - }, - "type": "integer" + "using_pseudo_issuer": { + "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`.", + "type": "boolean", + "required": false, + "default": false } }, { - "session_cookie_renew": { - "deprecation": { - "message": "openid-connect: config.session_cookie_renew option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "number" + "discovery_headers_names": { + "description": "Extra header names passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } } }, { - "session_cookie_maxsize": { - "deprecation": { - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "integer" + "discovery_headers_values": { + "description": "Extra header values passed to the discovery endpoint.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } } }, { - "session_strategy": { - "deprecation": { - "message": "openid-connect: config.session_strategy option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "string" + "extra_jwks_uris": { + "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery).", + "type": "set", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "session_compressor": { - "deprecation": { - "message": "openid-connect: config.session_compressor option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "string" + "rediscovery_lifetime": { + "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis.", + "type": "number", + "required": false, + "default": 30 } }, { - "session_redis_prefix": { - "deprecation": { - "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0" + "auth_methods": { + "description": "Types of credentials/grants to enable.", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] }, - "translate_backwards": [ - "redis", - "prefix" - ], - "type": "string" + "type": "array", + "default": [ + "password", + "client_credentials", + "authorization_code", + "bearer", + "introspection", + "userinfo", + "kong_oauth2", + "refresh_token", + "session" + ] } }, { - "session_redis_socket": { - "deprecation": { - "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0" + "client_id": { + "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider.", + "required": false, + "elements": { + "type": "string", + "referenceable": true }, - "translate_backwards": [ - "redis", - "socket" - ], - "type": "string" + "type": "array", + "encrypted": true } }, { - "session_redis_host": { - "deprecation": { - "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" + "client_secret": { + "description": "The client secret.", + "required": false, + "elements": { + "type": "string", + "referenceable": true }, - "translate_backwards": [ - "redis", - "host" - ], - "type": "string" + "type": "array", + "encrypted": true } }, { - "session_redis_port": { - "deprecation": { - "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "port" - ], - "type": "integer" + "client_auth": { + "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication).", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] + } } }, { - "session_redis_username": { - "deprecation": { - "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "username" - ], - "type": "string" + "client_jwk": { + "description": "The JWK used for the private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "fields": [ + { + "issuer": { + "required": false, + "type": "string" + } + }, + { + "kty": { + "required": false, + "type": "string" + } + }, + { + "use": { + "required": false, + "type": "string" + } + }, + { + "key_ops": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "alg": { + "required": false, + "type": "string" + } + }, + { + "kid": { + "required": false, + "type": "string" + } + }, + { + "x5u": { + "required": false, + "type": "string" + } + }, + { + "x5c": { + "required": false, + "type": "array", + "elements": { + "required": false, + "type": "string" + } + } + }, + { + "x5t": { + "required": false, + "type": "string" + } + }, + { + "x5t#S256": { + "required": false, + "type": "string" + } + }, + { + "k": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "x": { + "required": false, + "type": "string" + } + }, + { + "y": { + "required": false, + "type": "string" + } + }, + { + "crv": { + "required": false, + "type": "string" + } + }, + { + "n": { + "required": false, + "type": "string" + } + }, + { + "e": { + "required": false, + "type": "string" + } + }, + { + "d": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "p": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "q": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dp": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "dq": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "qi": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "oth": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "r": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + }, + { + "t": { + "encrypted": true, + "required": false, + "type": "string", + "referenceable": true + } + } + ], + "type": "record", + "required": false + } } }, { - "session_redis_password": { - "deprecation": { - "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "password" - ], - "type": "string" + "client_alg": { + "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication.", + "type": "array", + "required": false, + "elements": { + "type": "string", + "one_of": [ + "HS256", + "HS384", + "HS512", + "RS256", + "RS384", + "RS512", + "ES256", + "ES384", + "ES512", + "PS256", + "PS384", + "PS512", + "EdDSA" + ] + } } }, { - "session_redis_connect_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "connect_timeout" - ], - "type": "integer" + "client_arg": { + "description": "The client to use for this request (the selection is made with a request parameter with the same name).", + "type": "string", + "required": false, + "default": "client_id" } }, { - "session_redis_read_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "read_timeout" - ], - "type": "integer" + "redirect_uri": { + "description": "The redirect URI passed to the authorization and token endpoints.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "session_redis_send_timeout": { - "deprecation": { - "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "send_timeout" - ], - "type": "integer" + "login_redirect_uri": { + "description": "Where to redirect the client when `login_action` is set to `redirect`.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } } }, { - "session_redis_ssl": { - "deprecation": { - "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl" - ], - "type": "boolean" + "logout_redirect_uri": { + "description": "Where to redirect the client after the logout.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true + } } }, { - "session_redis_ssl_verify": { - "deprecation": { - "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl_verify" - ], - "type": "boolean" + "forbidden_redirect_uri": { + "description": "Where to redirect the client on forbidden requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "session_redis_server_name": { - "deprecation": { - "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "server_name" - ], - "type": "string" + "forbidden_error_message": { + "description": "The error message for the forbidden requests (when not using the redirection).", + "type": "string", + "required": false, + "default": "Forbidden" } }, { - "session_redis_cluster_nodes": { - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0" - }, - "elements": { - "fields": [ - { - "ip": { - "required": true, - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - } - ], - "type": "record" - }, - "translate_backwards": [ - "redis", - "cluster_nodes" - ], - "type": "array" + "forbidden_destroy_session": { + "description": "Destroy any active session for the forbidden requests.", + "type": "boolean", + "required": false, + "default": true } }, { - "session_redis_cluster_max_redirections": { - "deprecation": { - "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], - "type": "integer" + "unauthorized_destroy_session": { + "description": "Destroy any active session for the unauthorized requests.", + "type": "boolean", + "required": false, + "default": true } - } - ], - "fields": [ + }, { - "issuer": { - "required": true, - "description": "The discovery endpoint (or the issuer identifier). When there is no discovery endpoint, please also configure `config.using_pseudo_issuer=true`.", - "type": "string" + "unauthorized_redirect_uri": { + "description": "Where to redirect the client on unauthorized requests.", + "type": "array", + "required": false, + "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } } }, { - "using_pseudo_issuer": { + "unauthorized_error_message": { + "description": "The error message for the unauthorized requests (when not using the redirection).", + "type": "string", "required": false, - "default": false, - "type": "boolean", - "description": "If the plugin uses a pseudo issuer. When set to true, the plugin will not discover the configuration from the issuer URL specified with `config.issuer`." + "default": "Unauthorized" } }, { - "discovery_headers_names": { - "required": false, + "unexpected_redirect_uri": { + "description": "Where to redirect the client when unexpected errors happen with the requests.", "type": "array", + "required": false, "elements": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" - }, - "description": "Extra header names passed to the discovery endpoint." + } } }, { - "discovery_headers_values": { + "response_mode": { + "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type.", + "required": false, + "one_of": [ + "query", + "form_post", + "fragment", + "query.jwt", + "form_post.jwt", + "fragment.jwt", + "jwt" + ], + "type": "string", + "default": "query" + } + }, + { + "response_type": { + "description": "The response type passed to the authorization endpoint.", "required": false, - "type": "array", "elements": { "type": "string" }, - "description": "Extra header values passed to the discovery endpoint." + "type": "array", + "default": [ + "code" + ] } }, { - "extra_jwks_uris": { + "scopes": { + "description": "The scopes passed to the authorization and token endpoints.", "required": false, - "type": "set", "elements": { "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "referenceable": true }, - "description": "JWKS URIs whose public keys are trusted (in addition to the keys found with the discovery)." + "type": "array", + "default": [ + "openid" + ] } }, { - "rediscovery_lifetime": { + "audience": { + "description": "The audience passed to the authorization endpoint.", + "type": "array", "required": false, - "default": 30, - "type": "number", - "description": "Specifies how long (in seconds) the plugin waits between discovery attempts. Discovery is still triggered on an as-needed basis." + "elements": { + "type": "string" + } } }, { - "auth_methods": { + "issuers_allowed": { + "description": "The issuers allowed to be present in the tokens (`iss` claim).", + "type": "array", "required": false, "elements": { - "type": "string", - "one_of": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ] + "type": "string" + } + } + }, + { + "scopes_required": { + "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } + } + }, + { + "scopes_claim": { + "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" }, "type": "array", "default": [ - "password", - "client_credentials", - "authorization_code", - "bearer", - "introspection", - "userinfo", - "kong_oauth2", - "refresh_token", - "session" - ], - "description": "Types of credentials/grants to enable." + "scope" + ] } }, { - "client_id": { + "audience_required": { + "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", "required": false, "elements": { - "type": "string", - "referenceable": true + "type": "string" + } + } + }, + { + "audience_claim": { + "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" }, "type": "array", - "encrypted": true, - "description": "The client id(s) that the plugin uses when it calls authenticated endpoints on the identity provider." + "default": [ + "aud" + ] + } + }, + { + "groups_required": { + "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", + "type": "array", + "required": false, + "elements": { + "type": "string" + } } }, { - "client_secret": { + "groups_claim": { + "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { - "type": "string", - "referenceable": true + "type": "string" }, "type": "array", - "encrypted": true, - "description": "The client secret." + "default": [ + "groups" + ] } }, { - "client_auth": { - "required": false, + "roles_required": { + "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases.", "type": "array", + "required": false, "elements": { - "type": "string", - "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" - ] + "type": "string" + } + } + }, + { + "roles_claim": { + "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload.", + "required": false, + "elements": { + "type": "string" }, - "description": "The default OpenID Connect client authentication method is 'client_secret_basic' (using 'Authorization: Basic' header), 'client_secret_post' (credentials in body), 'client_secret_jwt' (signed client assertion in body), 'private_key_jwt' (private key-signed assertion), 'tls_client_auth' (client certificate), 'self_signed_tls_client_auth' (self-signed client certificate), and 'none' (no authentication)." + "type": "array", + "default": [ + "roles" + ] } }, { - "client_jwk": { + "domains": { + "description": "The allowed values for the `hd` claim.", + "type": "array", "required": false, + "elements": { + "type": "string" + } + } + }, + { + "max_age": { + "description": "The maximum age (in seconds) compared to the `auth_time` claim.", + "type": "number", + "required": false + } + }, + { + "authenticated_groups_claim": { + "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { - "required": false, - "fields": [ - { - "issuer": { - "required": false, - "type": "string" - } - }, - { - "kty": { - "required": false, - "type": "string" - } - }, - { - "use": { - "required": false, - "type": "string" - } - }, - { - "key_ops": { - "required": false, - "elements": { - "required": false, - "type": "string" - }, - "type": "array" - } - }, - { - "alg": { - "required": false, - "type": "string" - } - }, - { - "kid": { - "required": false, - "type": "string" - } - }, - { - "x5u": { - "required": false, - "type": "string" - } - }, - { - "x5c": { - "required": false, - "elements": { - "required": false, - "type": "string" - }, - "type": "array" - } - }, - { - "x5t": { - "required": false, - "type": "string" - } - }, - { - "x5t#S256": { - "required": false, - "type": "string" - } - }, - { - "k": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "x": { - "required": false, - "type": "string" - } - }, - { - "y": { - "required": false, - "type": "string" - } - }, - { - "crv": { - "required": false, - "type": "string" - } - }, - { - "n": { - "required": false, - "type": "string" - } - }, - { - "e": { - "required": false, - "type": "string" - } - }, - { - "d": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "p": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "q": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "dp": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "dq": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "qi": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "oth": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "r": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - }, - { - "t": { - "required": false, - "referenceable": true, - "encrypted": true, - "type": "string" - } - } - ], - "type": "record" - }, - "description": "The JWK used for the private_key_jwt authentication." + "type": "string" + } } }, { - "client_alg": { + "pushed_authorization_request_endpoint": { + "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "required": false, - "type": "array", - "elements": { - "type": "string", - "one_of": [ - "HS256", - "HS384", - "HS512", - "RS256", - "RS384", - "RS512", - "ES256", - "ES384", - "ES512", - "PS256", - "PS384", - "PS512", - "EdDSA" - ] - }, - "description": "The algorithm to use for client_secret_jwt (only HS***) or private_key_jwt authentication." + "type": "string" } }, { - "client_arg": { - "required": false, - "default": "client_id", + "pushed_authorization_request_endpoint_auth_method": { + "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", - "description": "The client to use for this request (the selection is made with a request parameter with the same name)." + "required": false, + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] } }, { - "redirect_uri": { - "required": false, - "type": "array", - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "The redirect URI passed to the authorization and token endpoints." + "require_pushed_authorization_requests": { + "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`).", + "type": "boolean", + "required": false } }, { - "login_redirect_uri": { - "required": false, - "type": "array", - "elements": { - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" - }, - "description": "Where to redirect the client when `login_action` is set to `redirect`." + "require_proof_key_for_code_exchange": { + "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled).", + "type": "boolean", + "required": false } }, { - "logout_redirect_uri": { + "require_signed_request_object": { + "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled).", + "type": "boolean", + "required": false + } + }, + { + "authorization_endpoint": { + "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", "required": false, + "type": "string" + } + }, + { + "authorization_query_args_names": { + "description": "Extra query argument names passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", "type": "string" - }, - "description": "Where to redirect the client after the logout." + } } }, { - "forbidden_redirect_uri": { - "required": false, + "authorization_query_args_values": { + "description": "Extra query argument values passed to the authorization endpoint.", "type": "array", + "required": false, "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on forbidden requests." + "type": "string" + } } }, { - "forbidden_error_message": { + "authorization_query_args_client": { + "description": "Extra query arguments passed from the client to the authorization endpoint.", + "type": "array", "required": false, - "default": "Forbidden", - "type": "string", - "description": "The error message for the forbidden requests (when not using the redirection)." + "elements": { + "type": "string" + } } }, { - "forbidden_destroy_session": { + "authorization_rolling_timeout": { + "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", "required": false, - "default": true, - "type": "boolean", - "description": "Destroy any active session for the forbidden requests." + "default": 600 } }, { - "unauthorized_destroy_session": { + "authorization_cookie_name": { + "description": "The authorization cookie name.", + "type": "string", "required": false, - "default": true, - "type": "boolean", - "description": "Destroy any active session for the unauthorized requests." + "default": "authorization" } }, { - "unauthorized_redirect_uri": { + "authorization_cookie_path": { + "description": "The authorization cookie Path flag.", "required": false, - "type": "array", - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client on unauthorized requests." - } - }, - { - "unauthorized_error_message": { - "required": false, - "default": "Unauthorized", + "starts_with": "/", "type": "string", - "description": "The error message for the unauthorized requests (when not using the redirection)." + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" } }, { - "unexpected_redirect_uri": { - "required": false, - "type": "array", - "elements": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." - }, - "description": "Where to redirect the client when unexpected errors happen with the requests." + "authorization_cookie_domain": { + "description": "The authorization cookie Domain flag.", + "type": "string", + "required": false } }, { - "response_mode": { + "authorization_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "type": "string", - "default": "query", "one_of": [ - "query", - "form_post", - "fragment", - "query.jwt", - "form_post.jwt", - "fragment.jwt", - "jwt" + "Strict", + "Lax", + "None", + "Default" ], - "description": "Response mode passed to the authorization endpoint: - `query`: for parameters in query string - `form_post`: for parameters in request body - `fragment`: for parameters in uri fragment (rarely useful as the plugin itself cannot read it) - `query.jwt`, `form_post.jwt`, `fragment.jwt`: similar to `query`, `form_post` and `fragment` but the parameters are encoded in a JWT - `jwt`: shortcut that indicates the default encoding for the requested response type." + "type": "string", + "default": "Default" } }, { - "response_type": { + "authorization_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", "required": false, - "elements": { - "type": "string" - }, - "type": "array", - "default": [ - "code" - ], - "description": "The response type passed to the authorization endpoint." + "default": true } }, { - "scopes": { - "required": false, - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", - "default": [ - "openid" - ], - "description": "The scopes passed to the authorization and token endpoints." + "authorization_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false } }, { - "audience": { + "preserve_query_args": { + "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow.", + "type": "boolean", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "The audience passed to the authorization endpoint." + "default": false } }, { - "issuers_allowed": { + "token_endpoint": { + "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "The issuers allowed to be present in the tokens (`iss` claim)." + "type": "string" } }, { - "scopes_required": { + "token_endpoint_auth_method": { + "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "The scopes (`scopes_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "one_of": [ + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] } }, { - "scopes_claim": { + "token_headers_names": { + "description": "Extra header names passed to the token endpoint.", + "type": "array", "required": false, "elements": { "type": "string" - }, - "type": "array", - "default": [ - "scope" - ], - "description": "The claim that contains the scopes. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "audience_required": { - "required": false, + "token_headers_values": { + "description": "Extra header values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The audiences (`audience_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { - "audience_claim": { + "token_headers_client": { + "description": "Extra headers passed from the client to the token endpoint.", + "type": "array", "required": false, "elements": { "type": "string" - }, - "type": "array", - "default": [ - "aud" - ], - "description": "The claim that contains the audience. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "groups_required": { - "required": false, + "token_headers_replay": { + "description": "The names of token endpoint response headers to forward to the downstream client.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The groups (`groups_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + } } }, { - "groups_claim": { - "required": false, - "elements": { - "type": "string" - }, - "type": "array", - "default": [ - "groups" - ], - "description": "The claim that contains the groups. If multiple values are set, it means the claim is inside a nested object of the token payload." + "token_headers_prefix": { + "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client.", + "type": "string", + "required": false } }, { - "roles_required": { - "required": false, + "token_headers_grants": { + "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant.", "type": "array", + "required": false, "elements": { - "type": "string" - }, - "description": "The roles (`roles_claim` claim) required to be present in the access token (or introspection results) for successful authorization. This config parameter works in both **AND** / **OR** cases." + "type": "string", + "one_of": [ + "password", + "client_credentials", + "authorization_code", + "refresh_token" + ] + } } }, { - "roles_claim": { + "token_post_args_names": { + "description": "Extra post argument names passed to the token endpoint.", + "type": "array", "required": false, "elements": { "type": "string" - }, - "type": "array", - "default": [ - "roles" - ], - "description": "The claim that contains the roles. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "domains": { - "required": false, + "token_post_args_values": { + "description": "Extra post argument values passed to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The allowed values for the `hd` claim." - } - }, - { - "max_age": { - "required": false, - "type": "number", - "description": "The maximum age (in seconds) compared to the `auth_time` claim." + } } }, { - "authenticated_groups_claim": { - "required": false, + "token_post_args_client": { + "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim that contains authenticated groups. This setting can be used together with ACL plugin, but it also enables IdP managed groups with other applications and integrations. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { - "pushed_authorization_request_endpoint": { + "introspection_endpoint": { + "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "required": false, - "description": "The pushed authorization endpoint. If set it overrides the value in `pushed_authorization_request_endpoint` returned by the discovery endpoint.", "type": "string" } }, { - "pushed_authorization_request_endpoint_auth_method": { + "introspection_endpoint_auth_method": { + "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", + "type": "string", "required": false, "one_of": [ "client_secret_basic", @@ -1048,1159 +969,917 @@ "tls_client_auth", "self_signed_tls_client_auth", "none" - ], - "type": "string", - "description": "The pushed authorization request endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + ] } }, { - "require_pushed_authorization_requests": { + "introspection_hint": { + "description": "Introspection hint parameter value passed to the introspection endpoint.", + "type": "string", "required": false, - "type": "boolean", - "description": "Forcibly enable or disable the pushed authorization requests. When not set the value is determined through the discovery using the value of `require_pushed_authorization_requests` (which defaults to `false`)." + "default": "access_token" } }, { - "require_proof_key_for_code_exchange": { - "required": false, + "introspection_check_active": { + "description": "Check that the introspection response has an `active` claim with a value of `true`.", "type": "boolean", - "description": "Forcibly enable or disable the proof key for code exchange. When not set the value is determined through the discovery using the value of `code_challenge_methods_supported`, and enabled automatically (in case the `code_challenge_methods_supported` is missing, the PKCE will not be enabled)." + "required": false, + "default": true } }, { - "require_signed_request_object": { + "introspection_accept": { + "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document).", "required": false, - "type": "boolean", - "description": "Forcibly enable or disable the usage of signed request object on authorization or pushed authorization endpoint. When not set the value is determined through the discovery using the value of `require_signed_request_object`, and enabled automatically (in case the `require_signed_request_object` is missing, the feature will not be enabled)." + "one_of": [ + "application/json", + "application/token-introspection+jwt", + "application/jwt" + ], + "type": "string", + "default": "application/json" } }, { - "authorization_endpoint": { + "introspection_headers_names": { + "description": "Extra header names passed to the introspection endpoint.", + "type": "array", "required": false, - "description": "The authorization endpoint. If set it overrides the value in `authorization_endpoint` returned by the discovery endpoint.", - "type": "string" + "elements": { + "type": "string" + } } }, { - "authorization_query_args_names": { + "introspection_headers_values": { + "description": "Extra header values passed to the introspection endpoint.", "required": false, - "type": "array", "elements": { - "type": "string" + "type": "string", + "referenceable": true }, - "description": "Extra query argument names passed to the authorization endpoint." + "type": "array", + "encrypted": true } }, { - "authorization_query_args_values": { - "required": false, + "introspection_headers_client": { + "description": "Extra headers passed from the client to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query argument values passed to the authorization endpoint." + } } }, { - "authorization_query_args_client": { - "required": false, + "introspection_post_args_names": { + "description": "Extra post argument names passed to the introspection endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra query arguments passed from the client to the authorization endpoint." + } } }, { - "authorization_rolling_timeout": { + "introspection_post_args_values": { + "description": "Extra post argument values passed to the introspection endpoint.", + "type": "array", "required": false, - "default": 600, - "type": "number", - "description": "Specifies how long the session used for the authorization code flow can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." + "elements": { + "type": "string" + } } }, { - "authorization_cookie_name": { + "introspection_post_args_client": { + "description": "Extra post arguments passed from the client to the introspection endpoint.", + "type": "array", "required": false, - "default": "authorization", - "type": "string", - "description": "The authorization cookie name." + "elements": { + "type": "string" + } } }, { - "authorization_cookie_path": { + "introspect_jwt_tokens": { + "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations).", + "type": "boolean", "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The authorization cookie Path flag." + "default": false } }, { - "authorization_cookie_domain": { + "revocation_endpoint": { + "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", "required": false, - "type": "string", - "description": "The authorization cookie Domain flag." + "type": "string" } }, { - "authorization_cookie_same_site": { - "required": false, + "revocation_endpoint_auth_method": { + "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate", "type": "string", - "default": "Default", + "required": false, "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." - } - }, - { - "authorization_cookie_http_only": { - "required": false, - "default": true, - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." - } - }, - { - "authorization_cookie_secure": { - "required": false, - "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." + "client_secret_basic", + "client_secret_post", + "client_secret_jwt", + "private_key_jwt", + "tls_client_auth", + "self_signed_tls_client_auth", + "none" + ] } }, { - "preserve_query_args": { + "end_session_endpoint": { + "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", "required": false, - "default": false, - "type": "boolean", - "description": "With this parameter, you can preserve request query arguments even when doing authorization code flow." + "type": "string" } }, { - "token_endpoint": { + "userinfo_endpoint": { + "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", "required": false, - "description": "The token endpoint. If set it overrides the value in `token_endpoint` returned by the discovery endpoint.", "type": "string" } }, { - "token_endpoint_auth_method": { + "userinfo_accept": { + "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document).", "required": false, "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" + "application/json", + "application/jwt" ], "type": "string", - "description": "The token endpoint authentication method: `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + "default": "application/json" } }, { - "token_headers_names": { - "required": false, + "userinfo_headers_names": { + "description": "Extra header names passed to the user info endpoint.", "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra header names passed to the token endpoint." - } - }, - { - "token_headers_values": { "required": false, - "type": "array", "elements": { "type": "string" - }, - "description": "Extra header values passed to the token endpoint." + } } }, { - "token_headers_client": { - "required": false, + "userinfo_headers_values": { + "description": "Extra header values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra headers passed from the client to the token endpoint." + } } }, { - "token_headers_replay": { - "required": false, + "userinfo_headers_client": { + "description": "Extra headers passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The names of token endpoint response headers to forward to the downstream client." - } - }, - { - "token_headers_prefix": { - "required": false, - "type": "string", - "description": "Add a prefix to the token endpoint response headers before forwarding them to the downstream client." + } } }, { - "token_headers_grants": { - "required": false, + "userinfo_query_args_names": { + "description": "Extra query argument names passed to the user info endpoint.", "type": "array", - "elements": { - "type": "string", - "one_of": [ - "password", - "client_credentials", - "authorization_code", - "refresh_token" - ] - }, - "description": "Enable the sending of the token endpoint response headers only with certain grants: - `password`: with OAuth password grant - `client_credentials`: with OAuth client credentials grant - `authorization_code`: with authorization code flow - `refresh_token` with refresh token grant." - } - }, - { - "token_post_args_names": { "required": false, - "type": "array", "elements": { "type": "string" - }, - "description": "Extra post argument names passed to the token endpoint." + } } }, { - "token_post_args_values": { - "required": false, + "userinfo_query_args_values": { + "description": "Extra query argument values passed to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Extra post argument values passed to the token endpoint." + } } }, { - "token_post_args_client": { - "required": false, + "userinfo_query_args_client": { + "description": "Extra query arguments passed from the client to the user info endpoint.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "Pass extra arguments from the client to the OpenID-Connect plugin. If arguments exist, the client can pass them using: - Query parameters - Request Body - Request Header This parameter can be used with `scope` values, like this: `config.token_post_args_client=scope` In this case, the token would take the `scope` value from the query parameter or from the request body or from the header and send it to the token endpoint." + } } }, { - "introspection_endpoint": { + "token_exchange_endpoint": { + "description": "The token exchange endpoint.", "required": false, - "description": "The introspection endpoint. If set it overrides the value in `introspection_endpoint` returned by the discovery endpoint.", "type": "string" } }, { - "introspection_endpoint_auth_method": { + "session_secret": { + "description": "The session secret.", "required": false, - "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" - ], "type": "string", - "description": "The introspection endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + "referenceable": true, + "encrypted": true } }, { - "introspection_hint": { - "required": false, - "default": "access_token", + "session_audience": { + "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", "type": "string", - "description": "Introspection hint parameter value passed to the introspection endpoint." + "required": false, + "default": "default" } }, { - "introspection_check_active": { + "session_cookie_name": { + "description": "The session cookie name.", + "type": "string", "required": false, - "default": true, - "type": "boolean", - "description": "Check that the introspection response has an `active` claim with a value of `true`." + "default": "session" } }, { - "introspection_accept": { + "session_remember": { + "description": "Enables or disables persistent sessions.", + "type": "boolean", "required": false, - "type": "string", - "default": "application/json", - "one_of": [ - "application/json", - "application/token-introspection+jwt", - "application/jwt" - ], - "description": "The value of `Accept` header for introspection requests: - `application/json`: introspection response as JSON - `application/token-introspection+jwt`: introspection response as JWT (from the current IETF draft document) - `application/jwt`: introspection response as JWT (from the obsolete IETF draft document)." + "default": false } }, { - "introspection_headers_names": { + "session_remember_cookie_name": { + "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", + "type": "string", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra header names passed to the introspection endpoint." + "default": "remember" } }, { - "introspection_headers_values": { + "session_remember_rolling_timeout": { + "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling.", + "type": "number", "required": false, - "elements": { - "type": "string", - "referenceable": true - }, - "type": "array", - "encrypted": true, - "description": "Extra header values passed to the introspection endpoint." + "default": 604800 } }, { - "introspection_headers_client": { + "session_remember_absolute_timeout": { + "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra headers passed from the client to the introspection endpoint." + "default": 2592000 } }, { - "introspection_post_args_names": { + "session_idling_timeout": { + "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra post argument names passed to the introspection endpoint." + "default": 900 } }, { - "introspection_post_args_values": { + "session_rolling_timeout": { + "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra post argument values passed to the introspection endpoint." + "default": 3600 } }, { - "introspection_post_args_client": { + "session_absolute_timeout": { + "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks.", + "type": "number", "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra post arguments passed from the client to the introspection endpoint." + "default": 86400 } }, { - "introspect_jwt_tokens": { + "session_cookie_path": { + "description": "The session cookie Path flag.", "required": false, - "default": false, - "type": "boolean", - "description": "Specifies whether to introspect the JWT access tokens (can be used to check for revocations)." + "starts_with": "/", + "type": "string", + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "default": "/" } }, { - "revocation_endpoint": { - "required": false, - "description": "The revocation endpoint. If set it overrides the value in `revocation_endpoint` returned by the discovery endpoint.", - "type": "string" + "session_cookie_domain": { + "description": "The session cookie Domain flag.", + "type": "string", + "required": false } }, { - "revocation_endpoint_auth_method": { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, "one_of": [ - "client_secret_basic", - "client_secret_post", - "client_secret_jwt", - "private_key_jwt", - "tls_client_auth", - "self_signed_tls_client_auth", - "none" + "Strict", + "Lax", + "None", + "Default" ], "type": "string", - "description": "The revocation endpoint authentication method: : `client_secret_basic`, `client_secret_post`, `client_secret_jwt`, `private_key_jwt`, `tls_client_auth`, `self_signed_tls_client_auth`, or `none`: do not authenticate" + "default": "Lax" } }, { - "end_session_endpoint": { - "required": false, - "description": "The end session endpoint. If set it overrides the value in `end_session_endpoint` returned by the discovery endpoint.", - "type": "string" - } - }, - { - "userinfo_endpoint": { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", + "type": "boolean", "required": false, - "description": "The user info endpoint. If set it overrides the value in `userinfo_endpoint` returned by the discovery endpoint.", - "type": "string" + "default": true } }, { - "userinfo_accept": { - "required": false, - "type": "string", - "default": "application/json", - "one_of": [ - "application/json", - "application/jwt" - ], - "description": "The value of `Accept` header for user info requests: - `application/json`: user info response as JSON - `application/jwt`: user info response as JWT (from the obsolete IETF draft document)." + "session_cookie_secure": { + "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", + "type": "boolean", + "required": false } }, { - "userinfo_headers_names": { + "session_request_headers": { + "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", "required": false, - "type": "array", + "type": "set", "elements": { - "type": "string" - }, - "description": "Extra header names passed to the user info endpoint." + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { - "userinfo_headers_values": { + "session_response_headers": { + "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", "required": false, - "type": "array", + "type": "set", "elements": { - "type": "string" - }, - "description": "Extra header values passed to the user info endpoint." - } - }, - { - "userinfo_headers_client": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra headers passed from the client to the user info endpoint." - } - }, - { - "userinfo_query_args_names": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra query argument names passed to the user info endpoint." - } - }, - { - "userinfo_query_args_values": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra query argument values passed to the user info endpoint." - } - }, - { - "userinfo_query_args_client": { - "required": false, - "type": "array", - "elements": { - "type": "string" - }, - "description": "Extra query arguments passed from the client to the user info endpoint." - } - }, - { - "token_exchange_endpoint": { - "required": false, - "description": "The token exchange endpoint.", - "type": "string" - } - }, - { - "session_secret": { - "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The session secret." - } - }, - { - "session_audience": { - "required": false, - "default": "default", - "type": "string", - "description": "The session audience, which is the intended target application. For example `\"my-application\"`." - } - }, - { - "session_cookie_name": { - "required": false, - "default": "session", - "type": "string", - "description": "The session cookie name." - } - }, - { - "session_remember": { - "required": false, - "default": false, - "type": "boolean", - "description": "Enables or disables persistent sessions." - } - }, - { - "session_remember_cookie_name": { - "required": false, - "default": "remember", - "type": "string", - "description": "Persistent session cookie name. Use with the `remember` configuration parameter." - } - }, - { - "session_remember_rolling_timeout": { - "required": false, - "default": 604800, - "type": "number", - "description": "Specifies how long the persistent session is considered valid in seconds. 0 disables the checks and rolling." - } - }, - { - "session_remember_absolute_timeout": { - "required": false, - "default": 2592000, - "type": "number", - "description": "Limits how long the persistent session can be renewed in seconds, until re-authentication is required. 0 disables the checks." - } - }, - { - "session_idling_timeout": { - "required": false, - "default": 900, - "type": "number", - "description": "Specifies how long the session can be inactive until it is considered invalid in seconds. 0 disables the checks and touching." - } - }, - { - "session_rolling_timeout": { - "required": false, - "default": 3600, - "type": "number", - "description": "Specifies how long the session can be used in seconds until it needs to be renewed. 0 disables the checks and rolling." - } - }, - { - "session_absolute_timeout": { - "required": false, - "default": 86400, - "type": "number", - "description": "Limits how long the session can be renewed in seconds, until re-authentication is required. 0 disables the checks." - } - }, - { - "session_cookie_path": { - "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "The session cookie Path flag." - } - }, - { - "session_cookie_domain": { - "required": false, - "type": "string", - "description": "The session cookie Domain flag." - } - }, - { - "session_cookie_same_site": { - "required": false, - "type": "string", - "default": "Lax", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." - } - }, - { - "session_cookie_http_only": { - "required": false, - "default": true, - "type": "boolean", - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property." - } - }, - { - "session_cookie_secure": { - "required": false, - "type": "boolean", - "description": "Cookie is only sent to the server when a request is made with the https: scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks." - } - }, - { - "session_request_headers": { - "required": false, - "description": "Set of headers to send to upstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout request headers.", - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" - } - }, - { - "session_response_headers": { - "required": false, - "description": "Set of headers to send to downstream, use id, audience, subject, timeout, idling-timeout, rolling-timeout, absolute-timeout. E.g. `[ \"id\", \"timeout\" ]` will set Session-Id and Session-Timeout response headers.", - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis.", "required": false, - "type": "string", - "default": "cookie", "one_of": [ "cookie", "memcache", "memcached", "redis" ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie (the session cannot be invalidated or revoked without changing session secret, but is stateless, and doesn't require a database) - `memcache`: stores session data in memcached - `redis`: stores session data in Redis." + "type": "string", + "default": "cookie" } }, { "session_store_metadata": { - "required": false, - "default": false, + "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject.", "type": "boolean", - "description": "Configures whether or not session metadata should be stored. This metadata includes information about the active sessions for a specific audience belonging to a specific subject." + "required": false, + "default": false } }, { "session_enforce_same_subject": { - "required": false, - "default": false, + "description": "When set to `true`, audiences are forced to share the same subject.", "type": "boolean", - "description": "When set to `true`, audiences are forced to share the same subject." + "required": false, + "default": false } }, { "session_hash_subject": { - "required": false, - "default": false, + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", "type": "boolean", - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled." + "required": false, + "default": false } }, { "session_hash_storage_key": { - "required": false, - "default": false, + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "type": "boolean", - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie." + "required": false, + "default": false } }, { "session_memcached_prefix": { - "required": false, + "description": "The memcached session key prefix.", "type": "string", - "description": "The memcached session key prefix." + "required": false } }, { "session_memcached_socket": { - "required": false, + "description": "The memcached unix socket path.", "type": "string", - "description": "The memcached unix socket path." + "required": false } }, { "session_memcached_host": { - "required": false, - "default": "127.0.0.1", + "description": "The memcached host.", "type": "string", - "description": "The memcached host." + "required": false, + "default": "127.0.0.1" } }, { "session_memcached_port": { + "description": "The memcached port.", "required": false, - "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "description": "The memcached port." + "type": "integer", + "default": 11211 } }, { "redis": { - "required": true, - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 ] } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ], - "set1": [ - "cluster_nodes" - ] + "default": 2000 } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "fields": [ - { - "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - }, - { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } - }, - { - "send_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." - } + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "default": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { "server_name": { - "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "description": "Maximum retry attempts for redirection.", - "type": "integer" + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "default": false } }, { "prefix": { - "required": false, + "description": "The Redis session key prefix.", "type": "string", - "description": "The Redis session key prefix." + "required": false } }, { "socket": { - "required": false, + "description": "The Redis unix socket path.", "type": "string", - "description": "The Redis unix socket path." + "required": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } }, { "reverify": { - "required": false, - "default": false, + "description": "Specifies whether to always verify tokens stored in the session.", "type": "boolean", - "description": "Specifies whether to always verify tokens stored in the session." + "required": false, + "default": false } }, { "jwt_session_claim": { - "required": false, - "default": "sid", + "description": "The claim to match against the JWT session cookie.", "type": "string", - "description": "The claim to match against the JWT session cookie." + "required": false, + "default": "sid" } }, { "jwt_session_cookie": { - "required": false, + "description": "The name of the JWT session cookie.", "type": "string", - "description": "The name of the JWT session cookie." + "required": false } }, { "bearer_token_param_type": { + "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`.", "required": false, "elements": { "type": "string", @@ -2216,19 +1895,19 @@ "header", "query", "body" - ], - "description": "Where to look for the bearer token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body - `cookie`: search the HTTP request cookies specified with `config.bearer_token_cookie_name`." + ] } }, { "bearer_token_cookie_name": { - "required": false, + "description": "The name of the cookie in which the bearer token is passed.", "type": "string", - "description": "The name of the cookie in which the bearer token is passed." + "required": false } }, { "client_credentials_param_type": { + "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2243,12 +1922,12 @@ "header", "query", "body" - ], - "description": "Where to look for the client credentials: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search from the HTTP request body." + ] } }, { "password_param_type": { + "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2263,12 +1942,12 @@ "header", "query", "body" - ], - "description": "Where to look for the username and password: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_type": { + "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2283,19 +1962,19 @@ "header", "query", "body" - ], - "description": "Where to look for the id token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "id_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the id token.", "type": "string", - "description": "The name of the parameter used to pass the id token." + "required": false } }, { "refresh_token_param_type": { + "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body.", "required": false, "elements": { "type": "string", @@ -2310,208 +1989,208 @@ "header", "query", "body" - ], - "description": "Where to look for the refresh token: - `header`: search the HTTP headers - `query`: search the URL's query string - `body`: search the HTTP request body." + ] } }, { "refresh_token_param_name": { - "required": false, + "description": "The name of the parameter used to pass the refresh token.", "type": "string", - "description": "The name of the parameter used to pass the refresh token." + "required": false } }, { "refresh_tokens": { - "required": false, - "default": true, + "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available.", "type": "boolean", - "description": "Specifies whether the plugin should try to refresh (soon to be) expired access tokens if the plugin has a `refresh_token` available." + "required": false, + "default": true } }, { "upstream_headers_claims": { - "required": false, + "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "upstream_headers_names": { - "required": false, + "description": "The upstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The upstream header names for the claim values." + } } }, { "upstream_access_token_header": { - "required": false, - "default": "authorization:bearer", + "description": "The upstream access token header.", "type": "string", - "description": "The upstream access token header." + "required": false, + "default": "authorization:bearer" } }, { "upstream_access_token_jwk_header": { - "required": false, + "description": "The upstream access token JWK header.", "type": "string", - "description": "The upstream access token JWK header." + "required": false } }, { "upstream_id_token_header": { - "required": false, + "description": "The upstream id token header.", "type": "string", - "description": "The upstream id token header." + "required": false } }, { "upstream_id_token_jwk_header": { - "required": false, + "description": "The upstream id token JWK header.", "type": "string", - "description": "The upstream id token JWK header." + "required": false } }, { "upstream_refresh_token_header": { - "required": false, + "description": "The upstream refresh token header.", "type": "string", - "description": "The upstream refresh token header." + "required": false } }, { "upstream_user_info_header": { - "required": false, + "description": "The upstream user info header.", "type": "string", - "description": "The upstream user info header." + "required": false } }, { "upstream_user_info_jwt_header": { - "required": false, + "description": "The upstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The upstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "upstream_introspection_header": { - "required": false, + "description": "The upstream introspection header.", "type": "string", - "description": "The upstream introspection header." + "required": false } }, { "upstream_introspection_jwt_header": { - "required": false, + "description": "The upstream introspection JWT header.", "type": "string", - "description": "The upstream introspection JWT header." + "required": false } }, { "upstream_session_id_header": { - "required": false, + "description": "The upstream session id header.", "type": "string", - "description": "The upstream session id header." + "required": false } }, { "downstream_headers_claims": { - "required": false, + "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header claims. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "downstream_headers_names": { - "required": false, + "description": "The downstream header names for the claim values.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The downstream header names for the claim values." + } } }, { "downstream_access_token_header": { - "required": false, + "description": "The downstream access token header.", "type": "string", - "description": "The downstream access token header." + "required": false } }, { "downstream_access_token_jwk_header": { - "required": false, + "description": "The downstream access token JWK header.", "type": "string", - "description": "The downstream access token JWK header." + "required": false } }, { "downstream_id_token_header": { - "required": false, + "description": "The downstream id token header.", "type": "string", - "description": "The downstream id token header." + "required": false } }, { "downstream_id_token_jwk_header": { - "required": false, + "description": "The downstream id token JWK header.", "type": "string", - "description": "The downstream id token JWK header." + "required": false } }, { "downstream_refresh_token_header": { - "required": false, + "description": "The downstream refresh token header.", "type": "string", - "description": "The downstream refresh token header." + "required": false } }, { "downstream_user_info_header": { - "required": false, + "description": "The downstream user info header.", "type": "string", - "description": "The downstream user info header." + "required": false } }, { "downstream_user_info_jwt_header": { - "required": false, + "description": "The downstream user info JWT header (in case the user info returns a JWT response).", "type": "string", - "description": "The downstream user info JWT header (in case the user info returns a JWT response)." + "required": false } }, { "downstream_introspection_header": { - "required": false, + "description": "The downstream introspection header.", "type": "string", - "description": "The downstream introspection header." + "required": false } }, { "downstream_introspection_jwt_header": { - "required": false, + "description": "The downstream introspection JWT header.", "type": "string", - "description": "The downstream introspection JWT header." + "required": false } }, { "downstream_session_id_header": { - "required": false, + "description": "The downstream session id header.", "type": "string", - "description": "The downstream session id header." + "required": false } }, { "login_methods": { + "description": "Enable login functionality with specified grants.", "required": false, "elements": { "type": "string", @@ -2530,25 +2209,25 @@ "type": "array", "default": [ "authorization_code" - ], - "description": "Enable login functionality with specified grants." + ] } }, { "login_action": { + "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location.", "required": false, - "type": "string", - "default": "upstream", "one_of": [ "upstream", "response", "redirect" ], - "description": "What to do after successful login: - `upstream`: proxy request to upstream service - `response`: terminate request with a response - `redirect`: redirect to a different location." + "type": "string", + "default": "upstream" } }, { "login_tokens": { + "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response.", "required": false, "elements": { "type": "string", @@ -2563,45 +2242,45 @@ "type": "array", "default": [ "id_token" - ], - "description": "What tokens to include in `response` body or `redirect` query string or fragment: - `id_token`: include id token - `access_token`: include access token - `refresh_token`: include refresh token - `tokens`: include the full token endpoint response - `introspection`: include introspection response." + ] } }, { "login_redirect_mode": { + "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers).", "required": false, - "type": "string", - "default": "fragment", "one_of": [ "query", "fragment" ], - "description": "Where to place `login_tokens` when using `redirect` `login_action`: - `query`: place tokens in query string - `fragment`: place tokens in url fragment (not readable by servers)." + "type": "string", + "default": "fragment" } }, { "logout_query_arg": { - "required": false, + "description": "The request query argument that activates the logout.", "type": "string", - "description": "The request query argument that activates the logout." + "required": false } }, { "logout_post_arg": { - "required": false, + "description": "The request body argument that activates the logout.", "type": "string", - "description": "The request body argument that activates the logout." + "required": false } }, { "logout_uri_suffix": { - "required": false, + "description": "The request URI suffix that activates the logout.", "type": "string", - "description": "The request URI suffix that activates the logout." + "required": false } }, { "logout_methods": { + "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method.", "required": false, "elements": { "type": "string", @@ -2615,46 +2294,46 @@ "default": [ "POST", "DELETE" - ], - "description": "The request methods that can activate the logout: - `POST`: HTTP POST method - `GET`: HTTP GET method - `DELETE`: HTTP DELETE method." + ] } }, { "logout_revoke": { - "required": false, - "default": false, + "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters.", "type": "boolean", - "description": "Revoke tokens as part of the logout.\n\nFor more granular token revocation, you can also adjust the `logout_revoke_access_token` and `logout_revoke_refresh_token` parameters." + "required": false, + "default": false } }, { "logout_revoke_access_token": { - "required": false, - "default": true, + "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the access token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "logout_revoke_refresh_token": { - "required": false, - "default": true, + "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`.", "type": "boolean", - "description": "Revoke the refresh token as part of the logout. Requires `logout_revoke` to be set to `true`." + "required": false, + "default": true } }, { "consumer_claim": { - "required": false, + "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "The claim used for consumer mapping. If multiple values are set, it means the claim is inside a nested object of the token payload." + } } }, { "consumer_by": { + "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`.", "required": false, "elements": { "type": "string", @@ -2668,20 +2347,20 @@ "default": [ "username", "custom_id" - ], - "description": "Consumer fields used for mapping: - `id`: try to find the matching Consumer by `id` - `username`: try to find the matching Consumer by `username` - `custom_id`: try to find the matching Consumer by `custom_id`." + ] } }, { "consumer_optional": { - "required": false, - "default": false, + "description": "Do not terminate the request if consumer mapping fails.", "type": "boolean", - "description": "Do not terminate the request if consumer mapping fails." + "required": false, + "default": false } }, { "credential_claim": { + "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload.", "required": false, "elements": { "type": "string" @@ -2689,67 +2368,67 @@ "type": "array", "default": [ "sub" - ], - "description": "The claim used to derive virtual credentials (e.g. to be consumed by the rate-limiting plugin), in case the consumer mapping is not used. If multiple values are set, it means the claim is inside a nested object of the token payload." + ] } }, { "anonymous": { - "required": false, + "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", "type": "string", - "description": "An optional string (consumer UUID or username) value that functions as an “anonymous” consumer if authentication fails. If empty (default null), requests that fail authentication will return a `4xx` HTTP status code. This value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "required": false } }, { "run_on_preflight": { - "required": false, - "default": true, + "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests.", "type": "boolean", - "description": "Specifies whether to run this plugin on pre-flight (`OPTIONS`) requests." + "required": false, + "default": true } }, { "leeway": { - "required": false, - "default": 0, + "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims", "type": "number", - "description": "Defines leeway time (in seconds) for `auth_time`, `exp`, `iat`, and `nbf` claims" + "required": false, + "default": 0 } }, { "verify_parameters": { - "required": false, - "default": false, + "description": "Verify plugin configuration against discovery.", "type": "boolean", - "description": "Verify plugin configuration against discovery." + "required": false, + "default": false } }, { "verify_nonce": { - "required": false, - "default": true, + "description": "Verify nonce on authorization code flow.", "type": "boolean", - "description": "Verify nonce on authorization code flow." + "required": false, + "default": true } }, { "verify_claims": { - "required": false, - "default": true, + "description": "Verify tokens for standard claims.", "type": "boolean", - "description": "Verify tokens for standard claims." + "required": false, + "default": true } }, { "verify_signature": { - "required": false, - "default": true, + "description": "Verify signature of tokens.", "type": "boolean", - "description": "Verify signature of tokens." + "required": false, + "default": true } }, { "ignore_signature": { + "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication.", "required": false, "elements": { "type": "string", @@ -2766,22 +2445,22 @@ "type": "array", "default": [ - ], - "description": "Skip the token signature verification on certain grants: - `password`: OAuth password grant - `client_credentials`: OAuth client credentials grant - `authorization_code`: authorization code flow - `refresh_token`: OAuth refresh token grant - `session`: session cookie authentication - `introspection`: OAuth introspection - `userinfo`: OpenID Connect user info endpoint authentication." + ] } }, { "enable_hs_signatures": { - "required": false, - "default": false, + "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted).", "type": "boolean", - "description": "Enable shared secret, for example, HS256, signatures (when disabled they will not be accepted)." + "required": false, + "default": false } }, { "disable_session": { - "required": false, + "description": "Disable issuing the session cookie with the specified grants.", "type": "array", + "required": false, "elements": { "type": "string", "one_of": [ @@ -2795,540 +2474,440 @@ "refresh_token", "session" ] - }, - "description": "Disable issuing the session cookie with the specified grants." + } } }, { "cache_ttl": { - "required": false, - "default": 3600, + "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry.", "type": "number", - "description": "The default cache ttl in seconds that is used in case the cached object does not specify the expiry." + "required": false, + "default": 3600 } }, { "cache_ttl_max": { - "required": false, + "description": "The maximum cache ttl in seconds (enforced).", "type": "number", - "description": "The maximum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_min": { - "required": false, + "description": "The minimum cache ttl in seconds (enforced).", "type": "number", - "description": "The minimum cache ttl in seconds (enforced)." + "required": false } }, { "cache_ttl_neg": { - "required": false, + "description": "The negative cache ttl in seconds.", "type": "number", - "description": "The negative cache ttl in seconds." + "required": false } }, { "cache_ttl_resurrect": { - "required": false, + "description": "The resurrection ttl in seconds.", "type": "number", - "description": "The resurrection ttl in seconds." + "required": false } }, { "cache_tokens": { - "required": false, - "default": true, + "description": "Cache the token endpoint requests.", "type": "boolean", - "description": "Cache the token endpoint requests." + "required": false, + "default": true } }, { "cache_tokens_salt": { - "required": false, - "type": "string", + "description": "Salt used for generating the cache key that is used for caching the token endpoint requests.", "auto": true, - "description": "Salt used for generating the cache key that is used for caching the token endpoint requests." + "type": "string", + "required": false } }, { "cache_introspection": { - "required": false, - "default": true, + "description": "Cache the introspection endpoint requests.", "type": "boolean", - "description": "Cache the introspection endpoint requests." + "required": false, + "default": true } }, { "cache_token_exchange": { - "required": false, - "default": true, + "description": "Cache the token exchange endpoint requests.", "type": "boolean", - "description": "Cache the token exchange endpoint requests." + "required": false, + "default": true } }, { "cache_user_info": { - "required": false, - "default": true, + "description": "Cache the user info requests.", "type": "boolean", - "description": "Cache the user info requests." + "required": false, + "default": true } }, { "search_user_info": { - "required": false, - "default": false, + "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers.", "type": "boolean", - "description": "Specify whether to use the user info endpoint to get additional claims for consumer mapping, credential mapping, authenticated groups, and upstream and downstream headers." + "required": false, + "default": false } }, { "hide_credentials": { - "required": false, - "default": false, + "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication.", "type": "boolean", - "description": "Remove the credentials used for authentication from the request. If multiple credentials are sent with the same request, the plugin will remove those that were used for successful authentication." + "required": false, + "default": false } }, { "http_version": { - "required": false, - "default": 1.1, "description": "The HTTP version used for the requests by this plugin: - `1.1`: HTTP 1.1 (the default) - `1.0`: HTTP 1.0.", - "type": "number" + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { - "required": false, "description": "The HTTP proxy.", + "required": false, "type": "string" } }, { "http_proxy_authorization": { - "required": false, + "description": "The HTTP proxy authorization.", "type": "string", - "description": "The HTTP proxy authorization." + "required": false } }, { "https_proxy": { - "required": false, "description": "The HTTPS proxy.", + "required": false, "type": "string" } }, { "https_proxy_authorization": { - "required": false, + "description": "The HTTPS proxy authorization.", "type": "string", - "description": "The HTTPS proxy authorization." + "required": false } }, { "no_proxy": { - "required": false, + "description": "Do not use proxy with these hosts.", "type": "string", - "description": "Do not use proxy with these hosts." + "required": false } }, { "keepalive": { - "required": false, - "default": true, + "description": "Use keepalive with the HTTP client.", "type": "boolean", - "description": "Use keepalive with the HTTP client." + "required": false, + "default": true } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`.", "type": "boolean", - "description": "Verify identity provider server certificate. If set to `true`, the plugin uses the CA certificate set in the `kong.conf` config parameter `lua_ssl_trusted_certificate`." + "required": false, + "default": false } }, { "timeout": { - "required": false, - "default": 10000, + "description": "Network IO timeout in milliseconds.", "type": "number", - "description": "Network IO timeout in milliseconds." + "required": false, + "default": 10000 } }, { "display_errors": { - "required": false, - "default": false, + "description": "Display errors on failure responses.", "type": "boolean", - "description": "Display errors on failure responses." + "required": false, + "default": false } }, { "by_username_ignore_case": { - "required": false, - "default": false, + "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively.", "type": "boolean", - "description": "If `consumer_by` is set to `username`, specify whether `username` can match consumers case-insensitively." + "required": false, + "default": false } }, { "resolve_distributed_claims": { - "required": false, - "default": false, + "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims.", "type": "boolean", - "description": "Distributed claims are represented by the `_claim_names` and `_claim_sources` members of the JSON object containing the claims. If this parameter is set to `true`, the plugin explicitly resolves these distributed claims." + "required": false, + "default": false } }, { "expose_error_code": { - "default": true, + "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable.", "type": "boolean", - "description": "Specifies whether to expose the error code header, as defined in RFC 6750. If an authorization request fails, this header is sent in the response. Set to `false` to disable." + "default": true } }, { "token_cache_key_include_scope": { - "default": false, + "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens.", "type": "boolean", - "description": "Include the scope in the token cache key, so token with different scopes are considered diffrent tokens." + "default": false } }, { "introspection_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for introspection.", "type": "string", - "description": "Designate token's parameter name for introspection." + "required": false, + "default": "token" } }, { "revocation_token_param_name": { - "required": false, - "default": "token", + "description": "Designate token's parameter name for revocation.", "type": "string", - "description": "Designate token's parameter name for revocation." + "required": false, + "default": "token" } }, { "proof_of_possession_mtls": { + "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable mtls proof of possession. If set to strict, all tokens (from supported auth_methods: bearer, introspection, and session granted with bearer or introspection) are verified, if set to optional, only tokens that contain the certificate hash claim are verified. If the verification fails, the request will be rejected with 401." + "type": "string", + "default": "off" } }, { "proof_of_possession_auth_methods_validation": { - "required": false, - "default": true, + "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP.", "type": "boolean", - "description": "If set to true, only the auth_methods that are compatible with Proof of Possession (PoP) can be configured when PoP is enabled. If set to false, all auth_methods will be configurable and PoP checks will be silently skipped for those auth_methods that are not compatible with PoP." + "required": false, + "default": true } }, { "tls_client_auth_cert_id": { - "required": false, + "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server.", + "auto": false, "type": "string", "uuid": true, - "auto": false, - "description": "ID of the Certificate entity representing the client certificate to use for mTLS client authentication for connections between Kong and the Auth Server." + "required": false } }, { "tls_client_auth_ssl_verify": { - "required": false, - "default": true, + "description": "Verify identity provider server certificate during mTLS client authentication.", "type": "boolean", - "description": "Verify identity provider server certificate during mTLS client authentication." + "required": false, + "default": true } }, { "mtls_token_endpoint": { - "required": false, "description": "Alias for the token endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_introspection_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "mtls_revocation_endpoint": { - "required": false, "description": "Alias for the introspection endpoint to be used for mTLS client authentication. If set it overrides the value in `mtls_endpoint_aliases` returned by the discovery endpoint.", + "required": false, "type": "string" } }, { "proof_of_possession_dpop": { + "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "strict", "optional" ], - "description": "Enable Demonstrating Proof-of-Possession (DPoP). If set to strict, all request are verified despite the presence of the DPoP key claim (cnf.jkt). If set to optional, only tokens bound with DPoP's key are verified with the proof." + "type": "string", + "default": "off" } }, { "dpop_use_nonce": { - "required": false, - "default": false, + "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime.", "type": "boolean", - "description": "Specifies whether to challenge the client with a nonce value for DPoP proof. When enabled it will also be used to calculate the DPoP proof lifetime." + "required": false, + "default": false } }, { "dpop_proof_lifetime": { - "required": false, - "default": 300, + "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise.", "type": "number", - "description": "Specifies the lifetime in seconds of the DPoP proof. It determines how long the same proof can be used after creation. The creation time is determined by the nonce creation time if a nonce is used, and the iat claim otherwise." + "required": false, + "default": 300 } }, { "claims_forbidden": { - "required": false, + "description": "If given, these claims are forbidden in the token payload.", "type": "array", + "required": false, "elements": { "type": "string" - }, - "description": "If given, these claims are forbidden in the token payload." + } } }, { "cluster_cache_strategy": { + "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared.", "required": false, - "type": "string", - "default": "off", "one_of": [ "off", "redis" ], - "description": "The strategy to use for the cluster cache. If set, the plugin will share cache with nodes configured with the same strategy backend. Currentlly only introspection cache is shared." + "type": "string", + "default": "off" } }, { "cluster_cache_redis": { - "required": true, - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 ] } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ], - "set1": [ - "cluster_nodes" - ] + "default": 2000 } }, { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "fields": [ - { - "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." - } - }, - { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" - } - }, - { - "send_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" - } - }, - { - "read_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" - } + "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 + ], + "default": 2000 + } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -3339,164 +2918,759 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], - "shorthand_fields": [ + "entity_checks": [ { - "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "connect_timeout" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" ], - "type": "integer" + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "sentinel_addresses": { - "deprecation": { - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", - "removal_in_version": "4.0" - }, - "type": "array", - "elements": { - "type": "string" - }, - "len_min": 1 + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] } }, { - "cluster_addresses": { - "deprecation": { - "message": "cluster_addresses is deprecated, please use cluster_nodes instead", - "removal_in_version": "4.0" - }, - "type": "array", - "elements": { - "type": "string" + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true }, - "len_min": 1 + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } - ] - } - } - ], + ], + "type": "record", + "shorthand_fields": [ + { + "timeout": { + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } + } + }, + { + "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "required": true + } + } + ], + "required": true, + "shorthand_fields": [ + { + "authorization_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_lifetime is deprecated, please use config.authorization_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "authorization_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_samesite is deprecated, please use config.authorization_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "authorization_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.authorization_cookie_httponly is deprecated, please use config.authorization_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_redis_prefix": { + "type": "string", + "translate_backwards": [ + "redis", + "prefix" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ], + "message": "openid-connect: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_socket": { + "type": "string", + "translate_backwards": [ + "redis", + "socket" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ], + "message": "openid-connect: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "openid-connect: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "openid-connect: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "openid-connect: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "openid-connect: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "read_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "send_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ], + "message": "openid-connect: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "openid-connect: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "openid-connect: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "openid-connect: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "message": "openid-connect: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + } + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "openid-connect: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + } + ], "type": "record" } } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } ] } \ No newline at end of file diff --git a/schemas/opentelemetry/3.8.x.json b/schemas/opentelemetry/3.8.x.json index e7c1e33..a847aca 100644 --- a/schemas/opentelemetry/3.8.x.json +++ b/schemas/opentelemetry/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,56 +19,45 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "entity_checks": [ - { - "at_least_one_of": [ - "traces_endpoint", - "logs_endpoint" - ] - } - ], - "type": "record", "fields": [ { "traces_endpoint": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "referenceable": true } }, { "logs_endpoint": { - "referenceable": true, "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + "type": "string", + "referenceable": true } }, { "headers": { - "type": "map", "description": "The custom headers to be added in the HTTP request sent to the OTLP server. This setting is useful for adding the authentication headers (token) for the APM backend.", + "type": "map", "values": { - "type": "string", - "referenceable": true + "referenceable": true, + "type": "string" }, "keys": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } }, @@ -80,11 +67,11 @@ "required": true, "type": "string" }, + "type": "map", "values": { "required": true, "type": "string" - }, - "type": "map" + } } }, { @@ -92,144 +79,144 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], + "type": "record", + "required": true, "default": { "max_batch_size": 200 - }, - "required": true, - "type": "record" + } } }, { "batch_span_count": { + "description": "The number of spans to be sent in a single batch.", + "type": "integer", "deprecation": { + "old_default": 200, "message": "opentelemetry: config.batch_span_count is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 200 - }, - "type": "integer", - "description": "The number of spans to be sent in a single batch." + "removal_in_version": "4.0" + } } }, { "batch_flush_delay": { + "description": "The delay, in seconds, between two consecutive batches.", + "type": "integer", "deprecation": { + "old_default": 3, "message": "opentelemetry: config.batch_flush_delay is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 3 - }, - "type": "integer", - "description": "The delay, in seconds, between two consecutive batches." + "removal_in_version": "4.0" + } } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 1000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 1000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { @@ -240,13 +227,6 @@ { "header_type": { "required": false, - "type": "string", - "deprecation": { - "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0", - "old_default": "preserve" - }, - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -258,18 +238,25 @@ "aws", "gcp", "datadog" - ] + ], + "type": "string", + "deprecation": { + "old_default": "preserve", + "message": "opentelemetry: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + }, + "default": "preserve" } }, { "sampling_rate": { - "required": false, "description": "Tracing sampling rate for configuring the probability-based sampler. When set, this value supersedes the global `tracing_sampling_rate` setting from kong.conf.", + "type": "number", "between": [ 0, 1 ], - "type": "number" + "required": false } }, { @@ -277,91 +264,104 @@ "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "type": "array", "elements": { "type": "string", "one_of": [ + "gcp", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "jaeger" + "b3" ] - }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID." + } } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "type": "array", "elements": { "type": "string" - }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared." + } } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "type": "array", "elements": { "type": "string", "one_of": [ "preserve", + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" + "b3" ] - }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests." + } } }, { "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "required": true, "one_of": [ + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" - ], - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`." + "b3" + ] } } ], + "type": "record", + "required": true, "default": { "default_format": "w3c" - }, - "required": true, - "type": "record" + } } } ], + "entity_checks": [ + { + "at_least_one_of": [ + "traces_endpoint", + "logs_endpoint" + ] + } + ], + "type": "record", "shorthand_fields": [ { "endpoint": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string", + "referenceable": true, "deprecation": { "message": "OpenTelemetry: config.endpoint is deprecated, please use config.traces_endpoint instead", "removal_in_version": "4.0" - }, - "referenceable": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", - "type": "string" + } } } - ] + ], + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/post-function/3.8.x.json b/schemas/post-function/3.8.x.json index 6f23c17..80a5355 100644 --- a/schemas/post-function/3.8.x.json +++ b/schemas/post-function/3.8.x.json @@ -1,32 +1,7 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "required": false, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], "elements": { "type": "string", "one_of": [ @@ -38,29 +13,41 @@ "wss" ] }, - "type": "set" + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -72,9 +59,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -82,8 +67,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -91,138 +75,154 @@ "fields": [ { "certificate": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "rewrite": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "access": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "header_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "body_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "log": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_handshake": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_client_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_upstream_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_close": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/pre-function/3.8.x.json b/schemas/pre-function/3.8.x.json index 6f23c17..80a5355 100644 --- a/schemas/pre-function/3.8.x.json +++ b/schemas/pre-function/3.8.x.json @@ -1,32 +1,7 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.certificate", - "config.rewrite", - "config.access", - "config.header_filter", - "config.body_filter", - "config.log", - "config.ws_handshake", - "config.ws_upstream_frame", - "config.ws_client_frame", - "config.ws_close" - ] - } - ], "fields": [ { "protocols": { - "required": false, - "default": [ - "grpc", - "grpcs", - "http", - "https", - "ws", - "wss" - ], "elements": { "type": "string", "one_of": [ @@ -38,29 +13,41 @@ "wss" ] }, - "type": "set" + "required": false, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https", + "ws", + "wss" + ] } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -72,9 +59,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -82,8 +67,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -91,138 +75,154 @@ "fields": [ { "certificate": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "rewrite": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "access": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "header_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "body_filter": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "log": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_handshake": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_client_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_upstream_frame": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } }, { "ws_close": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "required": false, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.certificate", + "config.rewrite", + "config.access", + "config.header_filter", + "config.body_filter", + "config.log", + "config.ws_handshake", + "config.ws_upstream_frame", + "config.ws_client_frame", + "config.ws_close" + ] + } ] } \ No newline at end of file diff --git a/schemas/prometheus/3.8.x.json b/schemas/prometheus/3.8.x.json index 477afda..8a19307 100644 --- a/schemas/prometheus/3.8.x.json +++ b/schemas/prometheus/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,50 +42,53 @@ "fields": [ { "per_consumer": { - "default": false, + "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available.", "type": "boolean", - "description": "A boolean value that determines if per-consumer metrics should be collected. If enabled, the `kong_http_requests_total` and `kong_bandwidth_bytes` metrics fill in the consumer label when available." + "default": false } }, { "status_code_metrics": { - "default": false, + "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if status code metrics should be collected. If enabled, `http_requests_total`, `stream_sessions_total` metrics will be exported." + "default": false } }, { "ai_metrics": { - "default": false, + "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if ai metrics should be collected. If enabled, the `ai_llm_requests_total`, `ai_llm_cost_total` and `ai_llm_tokens_total` metrics will be exported." + "default": false } }, { "latency_metrics": { - "default": false, + "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if latency metrics should be collected. If enabled, `kong_latency_ms`, `upstream_latency_ms` and `request_latency_ms` metrics will be exported." + "default": false } }, { "bandwidth_metrics": { - "default": false, + "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported.", "type": "boolean", - "description": "A boolean value that determines if bandwidth metrics should be collected. If enabled, `bandwidth_bytes` and `stream_sessions_total` metrics will be exported." + "default": false } }, { "upstream_health_metrics": { - "default": false, + "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported.", "type": "boolean", - "description": "A boolean value that determines if upstream metrics should be collected. If enabled, `upstream_target_health` metric will be exported." + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/proxy-cache-advanced/3.8.x.json b/schemas/proxy-cache-advanced/3.8.x.json index 81c6b90..30b3682 100644 --- a/schemas/proxy-cache-advanced/3.8.x.json +++ b/schemas/proxy-cache-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -36,6 +27,7 @@ "fields": [ { "response_code": { + "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900.", "required": true, "elements": { "between": [ @@ -45,17 +37,17 @@ "type": "integer" }, "type": "array", + "len_min": 1, "default": [ 200, 301, 404 - ], - "len_min": 1, - "description": "Upstream response status code considered cacheable. The integers must be a value between 100 and 900." + ] } }, { "request_method": { + "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`.", "required": true, "elements": { "type": "string", @@ -71,12 +63,12 @@ "default": [ "GET", "HEAD" - ], - "description": "Downstream request methods considered cacheable. Available options: `HEAD`, `GET`, `POST`, `PATCH`, `PUT`." + ] } }, { "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned.", "required": true, "elements": { "type": "string" @@ -85,49 +77,48 @@ "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value; for example, if the upstream is expected to respond with a `application/json; charset=utf-8` content-type, the plugin configuration must contain said value or a `Bypass` cache status is returned." + ] } }, { "cache_ttl": { - "gt": 0, - "default": 300, + "description": "TTL in seconds of cache entities.", "type": "integer", - "description": "TTL in seconds of cache entities." + "gt": 0, + "default": 300 } }, { "strategy": { + "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`.", "required": true, + "type": "string", "one_of": [ "memory", "redis" - ], - "type": "string", - "description": "The backing data store in which to hold cache entities. Accepted values are: `memory` and `redis`." + ] } }, { "cache_control": { + "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", "required": true, - "default": false, "type": "boolean", - "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234." + "default": false } }, { "ignore_uri_case": { + "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI.", "required": false, - "default": false, "type": "boolean", - "description": "Determines whether to treat URIs as case sensitive. By default, case sensitivity is enabled. If set to true, requests are cached while ignoring case sensitivity in the URI." + "default": false } }, { "storage_ttl": { - "type": "integer", - "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors." + "description": "Number of seconds to keep resources in the storage backend. This value is independent of `cache_ttl` or resource TTLs defined by Cache-Control behaviors.", + "type": "integer" } }, { @@ -135,269 +126,170 @@ "fields": [ { "dictionary_name": { + "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", "required": true, - "default": "kong_db_cache", "type": "string", - "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template." + "default": "kong_db_cache" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "vary_headers": { "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "fields": [ { "age": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Status": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } }, { "X-Cache-Key": { - "type": "boolean", - "default": true + "default": true, + "type": "boolean" } } ], - "description": "Caching related diagnostic headers that should be included in cached responses", - "required": true, - "type": "record" + "required": true } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -408,171 +300,310 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "bypass_on_err": { - "default": false, + "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream.", "type": "boolean", - "description": "Unhandled errors while trying to retrieve a cache entry (such as redis down) are resolved with `Bypass`, with the request going upstream." + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/proxy-cache/3.8.x.json b/schemas/proxy-cache/3.8.x.json index 63a21dc..6bc799e 100644 --- a/schemas/proxy-cache/3.8.x.json +++ b/schemas/proxy-cache/3.8.x.json @@ -1,18 +1,12 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -24,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -34,8 +26,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -43,6 +34,7 @@ "fields": [ { "response_code": { + "description": "Upstream response status code considered cacheable.", "required": true, "elements": { "between": [ @@ -51,18 +43,18 @@ ], "type": "integer" }, + "type": "array", "len_min": 1, "default": [ 200, 301, 404 - ], - "type": "array", - "description": "Upstream response status code considered cacheable." + ] } }, { "request_method": { + "description": "Downstream request methods considered cacheable.", "required": true, "elements": { "type": "string", @@ -78,12 +70,12 @@ "default": [ "GET", "HEAD" - ], - "description": "Downstream request methods considered cacheable." + ] } }, { "content_type": { + "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value.", "required": true, "elements": { "type": "string" @@ -92,41 +84,40 @@ "default": [ "text/plain", "application/json" - ], - "description": "Upstream response content types considered cacheable. The plugin performs an **exact match** against each specified value." + ] } }, { "cache_ttl": { - "gt": 0, - "default": 300, "description": "TTL, in seconds, of cache entities.", - "type": "integer" + "type": "integer", + "gt": 0, + "default": 300 } }, { "strategy": { + "description": "The backing data store in which to hold cache entities.", "required": true, + "type": "string", "one_of": [ "memory" - ], - "description": "The backing data store in which to hold cache entities.", - "type": "string" + ] } }, { "cache_control": { - "required": true, - "default": false, "description": "When enabled, respect the Cache-Control behaviors defined in RFC7234.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { "ignore_uri_case": { + "type": "boolean", "required": false, - "default": false, - "type": "boolean" + "default": false } }, { @@ -140,37 +131,39 @@ "fields": [ { "dictionary_name": { - "required": true, - "default": "kong_db_cache", "description": "The name of the shared dictionary in which to hold cache entities when the memory strategy is selected. Note that this dictionary currently must be defined manually in the Kong Nginx template.", - "type": "string" + "required": true, + "type": "string", + "default": "kong_db_cache" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "vary_query_params": { + "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration.", "type": "array", "elements": { "type": "string" - }, - "description": "Relevant query parameters considered for the cache key. If undefined, all params are taken into consideration." + } } }, { "vary_headers": { + "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration.", "type": "array", "elements": { "type": "string" - }, - "description": "Relevant headers considered for the cache key. If undefined, none of the headers are taken into consideration." + } } }, { "response_headers": { + "description": "Caching related diagnostic headers that should be included in cached responses", + "type": "record", "fields": [ { "age": { @@ -191,14 +184,21 @@ } } ], - "type": "record", - "required": true, - "description": "Caching related diagnostic headers that should be included in cached responses" + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting-advanced/3.8.x.json b/schemas/rate-limiting-advanced/3.8.x.json index 7155100..7df38f7 100644 --- a/schemas/rate-limiting-advanced/3.8.x.json +++ b/schemas/rate-limiting-advanced/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -36,9 +27,8 @@ "fields": [ { "identifier": { + "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`.", "required": true, - "type": "string", - "default": "consumer", "one_of": [ "ip", "credential", @@ -48,315 +38,217 @@ "path", "consumer-group" ], - "description": "The type of identifier used to generate the rate limit key. Defines the scope used to increment the rate limiting counters. Can be `ip`, `credential`, `consumer`, `service`, `header`, `path` or `consumer-group`." + "type": "string", + "default": "consumer" } }, { "window_size": { - "required": true, "description": "One or more window sizes to apply a limit to (defined in seconds). There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", "elements": { "type": "number" - }, - "type": "array" + } } }, { "window_type": { "description": "Sets the time window type to either `sliding` (default) or `fixed`. Sliding windows apply the rate limiting logic while taking into account previous hit rates (from the window that immediately precedes the current) using a dynamic weight. Fixed windows consist of buckets that are statically assigned to a definitive time range, each request is mapped to only one fixed window based on its timestamp and will affect only that window's counters.", + "type": "string", "default": "sliding", "one_of": [ "fixed", "sliding" - ], - "type": "string" + ] } }, { "limit": { - "required": true, "description": "One or more requests-per-window limits to apply. There must be a matching number of window limits and sizes specified.", + "required": true, + "type": "array", "elements": { "type": "number" - }, - "type": "array" + } } }, { "sync_rate": { - "type": "number", - "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms)." + "description": "How often to sync counter data to the central data store. A value of 0 results in synchronous behavior; a value of -1 ignores sync behavior entirely and only stores counters in node memory. A value greater than 0 will sync the counters in the specified number of seconds. The minimum allowed interval is 0.02 seconds (20ms).", + "type": "number" } }, { "namespace": { - "required": true, - "auto": true, "description": "The rate limiting library namespace to use for this plugin instance. Counter data and sync configuration is isolated in each namespace. NOTE: For the plugin instances sharing the same namespace, all the configurations that are required for synchronizing counters, e.g. `strategy`, `redis`, `sync_rate`, `window_size`, `dictionary_name`, need to be the same.", - "type": "string" + "auto": true, + "type": "string", + "required": true } }, { "strategy": { + "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`.", "required": true, - "type": "string", - "default": "local", "one_of": [ "cluster", "redis", "local" ], - "description": "The rate-limiting strategy to use for retrieving and incrementing the limits. Available values are: `local` and `cluster`." + "type": "string", + "default": "local" } }, { "dictionary_name": { - "required": true, - "default": "kong_rate_limiting_counters", "description": "The shared dictionary where counters are stored. When the plugin is configured to synchronize counter data externally (that is `config.strategy` is `cluster` or `redis` and `config.sync_rate` isn't `-1`), this dictionary serves as a buffer to populate counters in the data store on each synchronization cycle.", - "type": "string" + "type": "string", + "required": true, + "default": "kong_rate_limiting_counters" } }, { "hide_client_headers": { - "default": false, "description": "Optionally hide informative response headers that would otherwise provide information about the current status of limits and counters.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "retry_after_jitter_max": { - "default": 0, "description": "The upper bound of a jitter (random delay) in seconds to be added to the `Retry-After` header of denied requests (status = `429`) in order to prevent all the clients from coming back at the same time. The lower bound of the jitter is `0`; in this case, the `Retry-After` header is equal to the `RateLimit-Reset` header.", - "type": "number" + "type": "number", + "default": 0 } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string" + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "redis": { - "required": true, - "entity_checks": [ - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - } - }, - { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_match": { - "eq": true - }, - "then_match": { - "required": true - }, - "if_field": "connection_is_proxied" - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 - ], - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", - "type": "string" + "type": "string", + "referenceable": true } }, { "password": { "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "sentinel_username": { - "referenceable": true, "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", - "type": "string" + "type": "string", + "referenceable": true } }, { "sentinel_password": { "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "type": "string", "referenceable": true, - "encrypted": true, - "type": "string" + "encrypted": true } }, { "database": { - "default": 0, "description": "Database to use for the Redis connection when using the `redis` strategy", - "type": "integer" + "type": "integer", + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", - "type": "integer" + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { @@ -367,202 +259,341 @@ }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "type": "string", - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } } ], "type": "record" }, "type": "array", - "len_min": 1, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { - "required": false, - "default": false, "description": "If set to true, uses SSL to connect to Redis.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } }, { "cluster_max_redirections": { + "description": "Maximum retry attempts for redirection.", "required": false, - "default": 5, "type": "integer", - "description": "Maximum retry attempts for redirection." + "default": 5 } }, { "connection_is_proxied": { - "required": false, - "default": false, "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "type": "boolean" + "required": false, + "type": "boolean", + "default": false + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true } }, { "enforce_consumer_groups": { - "default": false, "description": "Determines if consumer groups are allowed to override the rate limiting settings for the given Route or Service. Flipping `enforce_consumer_groups` from `true` to `false` disables the group override, but does not clear the list of consumer groups. You can then flip `enforce_consumer_groups` to `true` to re-enforce the groups.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "consumer_groups": { + "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`.", "type": "array", "elements": { "type": "string" - }, - "description": "List of consumer groups allowed to override the rate limiting settings for the given Route or Service. Required if `enforce_consumer_groups` is set to `true`." + } } }, { "disable_penalty": { - "default": false, "description": "If set to `true`, this doesn't count denied requests (status = `429`). If set to `false`, all requests, including denied ones, are counted. This parameter only affects the `sliding` window_type.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "error_code": { - "gt": 0, - "default": 429, "description": "Set a custom error code to return when the rate limit is exceeded.", - "type": "number" + "type": "number", + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", "description": "Set a custom error message to return when the rate limit is exceeded.", - "type": "string" + "type": "string", + "default": "API rate limit exceeded" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/rate-limiting/3.8.x.json b/schemas/rate-limiting/3.8.x.json index 88995bc..b98f28d 100644 --- a/schemas/rate-limiting/3.8.x.json +++ b/schemas/rate-limiting/3.8.x.json @@ -1,79 +1,8 @@ { - "entity_checks": [ - { - "at_least_one_of": [ - "config.second", - "config.minute", - "config.hour", - "config.day", - "config.month", - "config.year" - ] - }, - { - "conditional": { - "then_field": "config.redis.host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.header_name", - "if_match": { - "eq": "header" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - }, - { - "conditional": { - "then_field": "config.path", - "if_match": { - "eq": "path" - }, - "then_match": { - "required": true - }, - "if_field": "config.limit_by" - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -90,178 +19,57 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "required": true, - "shorthand_fields": [ - { - "redis_host": { - "deprecation": { - "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "host" - ], - "type": "string" - } - }, - { - "redis_port": { - "deprecation": { - "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "port" - ], - "type": "integer" - } - }, - { - "redis_password": { - "deprecation": { - "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, - "len_min": 0, - "translate_backwards": [ - "redis", - "password" - ], - "type": "string" - } - }, - { - "redis_username": { - "deprecation": { - "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "username" - ], - "type": "string" - } - }, - { - "redis_ssl": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl" - ], - "type": "boolean" - } - }, - { - "redis_ssl_verify": { - "deprecation": { - "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl_verify" - ], - "type": "boolean" - } - }, - { - "redis_server_name": { - "deprecation": { - "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "server_name" - ], - "type": "string" - } - }, - { - "redis_timeout": { - "deprecation": { - "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "timeout" - ], - "type": "integer" - } - }, - { - "redis_database": { - "deprecation": { - "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "database" - ], - "type": "integer" - } - } - ], "fields": [ { "second": { - "gt": 0, + "description": "The number of HTTP requests that can be made per second.", "type": "number", - "description": "The number of HTTP requests that can be made per second." + "gt": 0 } }, { "minute": { - "gt": 0, + "description": "The number of HTTP requests that can be made per minute.", "type": "number", - "description": "The number of HTTP requests that can be made per minute." + "gt": 0 } }, { "hour": { - "gt": 0, + "description": "The number of HTTP requests that can be made per hour.", "type": "number", - "description": "The number of HTTP requests that can be made per hour." + "gt": 0 } }, { "day": { - "gt": 0, + "description": "The number of HTTP requests that can be made per day.", "type": "number", - "description": "The number of HTTP requests that can be made per day." + "gt": 0 } }, { "month": { - "gt": 0, + "description": "The number of HTTP requests that can be made per month.", "type": "number", - "description": "The number of HTTP requests that can be made per month." + "gt": 0 } }, { "year": { - "gt": 0, + "description": "The number of HTTP requests that can be made per year.", "type": "number", - "description": "The number of HTTP requests that can be made per year." + "gt": 0 } }, { "limit_by": { + "description": "The entity that is used when aggregating the limits.", "type": "string", "default": "consumer", "one_of": [ @@ -272,167 +80,431 @@ "header", "path", "consumer-group" - ], - "description": "The entity that is used when aggregating the limits." + ] } }, { "header_name": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } }, { "path": { - "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string" + "type": "string", + "starts_with": "/", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { "policy": { - "type": "string", - "default": "local", + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", + "len_min": 0, "one_of": [ "local", "cluster", "redis" ], - "len_min": 0, - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + "type": "string", + "default": "local" } }, { "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party data store. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the data store is working again. If `false`, then the clients will see `500` errors." + "default": true } }, { "redis": { + "description": "Redis configuration", + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } }, { "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { - "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true, + "encrypted": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "ssl": { - "required": false, - "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "required": false, + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "required": false, + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } } ], - "description": "Redis configuration", - "required": true, - "type": "record" + "required": true } }, { "hide_client_headers": { + "description": "Optionally hide informative response headers.", "required": true, - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers." + "default": false } }, { "error_code": { - "gt": 0, - "default": 429, + "description": "Set a custom error code to return when the rate limit is exceeded.", "type": "number", - "description": "Set a custom error code to return when the rate limit is exceeded." + "gt": 0, + "default": 429 } }, { "error_message": { - "default": "API rate limit exceeded", + "description": "Set a custom error message to return when the rate limit is exceeded.", "type": "string", - "description": "Set a custom error message to return when the rate limit is exceeded." + "default": "API rate limit exceeded" } }, { "sync_rate": { + "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior.", "required": true, - "default": -1, "type": "number", - "description": "How often to sync counter data to the central data store. A value of -1 results in synchronous behavior." + "default": -1 + } + } + ], + "required": true, + "shorthand_fields": [ + { + "redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "rate-limiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "rate-limiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_password": { + "len_min": 0, + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "rate-limiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "rate-limiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "rate-limiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "rate-limiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "rate-limiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "message": "rate-limiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "redis_database": { + "type": "integer", + "translate_backwards": [ + "redis", + "database" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "message": "rate-limiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + } } } ], "type": "record" } } + ], + "entity_checks": [ + { + "at_least_one_of": [ + "config.second", + "config.minute", + "config.hour", + "config.day", + "config.month", + "config.year" + ] + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "header" + }, + "then_field": "config.header_name", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.limit_by", + "if_match": { + "eq": "path" + }, + "then_field": "config.path", + "then_match": { + "required": true + } + } + } ] } \ No newline at end of file diff --git a/schemas/request-size-limiting/3.8.x.json b/schemas/request-size-limiting/3.8.x.json index 5e0fa71..669041e 100644 --- a/schemas/request-size-limiting/3.8.x.json +++ b/schemas/request-size-limiting/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,36 +35,39 @@ "fields": [ { "allowed_payload_size": { - "default": 128, + "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes).", "type": "integer", - "description": "Allowed request payload size in megabytes. Default is `128` megabytes (128000000 bytes)." + "default": 128 } }, { "size_unit": { + "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0.", "required": true, - "type": "string", - "default": "megabytes", "one_of": [ "megabytes", "kilobytes", "bytes" ], - "description": "Size unit can be set either in `bytes`, `kilobytes`, or `megabytes` (default). This configuration is not available in versions prior to Kong Gateway 1.3 and Kong Gateway (OSS) 2.0." + "type": "string", + "default": "megabytes" } }, { "require_content_length": { - "required": true, - "default": false, + "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body.", "type": "boolean", - "description": "Set to `true` to ensure a valid `Content-Length` header exists before reading the request body." + "required": true, + "default": false } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-termination/3.8.x.json b/schemas/request-termination/3.8.x.json index 427081f..e06de3d 100644 --- a/schemas/request-termination/3.8.x.json +++ b/schemas/request-termination/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,14 +27,14 @@ "fields": [ { "status_code": { + "description": "The response code to send. Must be an integer between 100 and 599.", "required": true, - "type": "integer", "between": [ 100, 599 ], - "default": 503, - "description": "The response code to send. Must be an integer between 100 and 599." + "type": "integer", + "default": 503 } }, { @@ -60,22 +57,25 @@ }, { "echo": { - "required": true, - "default": false, + "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic.", "type": "boolean", - "description": "When set, the plugin will echo a copy of the request back to the client. The main usecase for this is debugging. It can be combined with `trigger` in order to debug requests on live systems without disturbing real traffic." + "required": true, + "default": false } }, { "trigger": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer-advanced/3.8.x.json b/schemas/request-transformer-advanced/3.8.x.json index 06a0820..fa60288 100644 --- a/schemas/request-transformer-advanced/3.8.x.json +++ b/schemas/request-transformer-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -30,9 +27,9 @@ "fields": [ { "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "match": "^%u+$" } }, { @@ -40,40 +37,40 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -81,43 +78,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -125,42 +122,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -171,8 +169,7 @@ "number", "string" ] - }, - "type": "array" + } } }, { @@ -181,8 +178,8 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -190,42 +187,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -236,13 +234,12 @@ "number", "string" ] - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -250,42 +247,43 @@ "fields": [ { "body": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "querystring": { + "type": "array", "default": [ ], "elements": { "referenceable": true, "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -296,13 +294,12 @@ "number", "string" ] - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -310,28 +307,31 @@ "fields": [ { "body": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { - "default": true, + "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects).", "type": "boolean", - "description": "Specify whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects. See [Arrays and nested objects](#arrays-and-nested-objects)." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-transformer/3.8.x.json b/schemas/request-transformer/3.8.x.json index c7ef2fe..e622024 100644 --- a/schemas/request-transformer/3.8.x.json +++ b/schemas/request-transformer/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,8 +26,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { @@ -37,9 +34,9 @@ "fields": [ { "http_method": { + "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters.", "type": "string", - "match": "^%u+$", - "description": "A string representing an HTTP method, such as GET, POST, PUT, or DELETE. The string must contain only uppercase letters." + "match": "^%u+$" } }, { @@ -47,43 +44,43 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -91,44 +88,44 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -136,39 +133,39 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { @@ -177,8 +174,8 @@ } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -186,44 +183,44 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -231,50 +228,53 @@ "fields": [ { "body": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "querystring": { - "required": true, "default": [ ], + "type": "array", + "required": true, "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/request-validator/3.8.x.json b/schemas/request-validator/3.8.x.json index 868eddd..c334e59 100644 --- a/schemas/request-validator/3.8.x.json +++ b/schemas/request-validator/3.8.x.json @@ -1,16 +1,8 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -27,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -44,70 +35,73 @@ "fields": [ { "body_schema": { + "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified.", "required": false, - "type": "string", - "description": "The request body schema specification. One of `body_schema` or `parameter_schema` must be specified." + "type": "string" } }, { "allowed_content_types": { "description": "List of allowed content types. The value can be configured with the `charset` parameter. For example, `application/json; charset=UTF-8`.", + "type": "set", "default": [ "application/json" ], "elements": { "required": true, "type": "string" - }, - "type": "set" + } } }, { "version": { + "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator.", "required": true, - "type": "string", "one_of": [ "kong", "draft4" ], - "default": "kong", - "description": "Which validator to use. Supported values are `kong` (default) for using Kong's own schema validator, or `draft4` for using a JSON Schema Draft 4-compliant validator." + "type": "string", + "default": "kong" } }, { "parameter_schema": { - "required": false, + "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified.", "type": "array", + "required": false, "elements": { "fields": [ { "in": { + "description": "The location of the parameter.", + "type": "string", "required": true, "one_of": [ "query", "header", "path" - ], - "type": "string", - "description": "The location of the parameter." + ] } }, { "name": { + "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`.", "required": true, - "type": "string", - "description": "The name of the parameter. Parameter names are case-sensitive, and correspond to the parameter name used by the `in` property. If `in` is `path`, the `name` field MUST correspond to the named capture group from the configured `route`." + "type": "string" } }, { "required": { + "description": "Determines whether this parameter is mandatory.", "required": true, - "type": "boolean", - "description": "Determines whether this parameter is mandatory." + "type": "boolean" } }, { "style": { + "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", + "type": "string", "one_of": [ "label", "form", @@ -116,15 +110,13 @@ "spaceDelimited", "pipeDelimited", "deepObject" - ], - "description": "Required when `schema` and `explode` are set. Describes how the parameter value will be deserialized depending on the type of the parameter value.", - "type": "string" + ] } }, { "explode": { - "type": "boolean", - "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect." + "description": "Required when `schema` and `style` are set. When `explode` is `true`, parameter values of type `array` or `object` generate separate parameters for each value of the array or key-value pair of the map. For other types of parameters, this property has no effect.", + "type": "boolean" } }, { @@ -134,6 +126,7 @@ } } ], + "type": "record", "entity_checks": [ { "mutually_required": [ @@ -150,30 +143,28 @@ ] } } - ], - "type": "record" - }, - "description": "Array of parameter validator specification. One of `body_schema` or `parameter_schema` must be specified." + ] + } } }, { "verbose_response": { - "required": true, - "default": false, + "description": "If enabled, the plugin returns more verbose and detailed validation errors.", "type": "boolean", - "description": "If enabled, the plugin returns more verbose and detailed validation errors." + "required": true, + "default": false } }, { "content_type_parameter_validation": { - "required": true, - "default": true, + "description": "Determines whether to enable parameters validation of request content-type.", "type": "boolean", - "description": "Determines whether to enable parameters validation of request content-type." + "required": true, + "default": true } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -182,7 +173,16 @@ ] } ], - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/response-ratelimiting/3.8.x.json b/schemas/response-ratelimiting/3.8.x.json index f069f16..e443ef9 100644 --- a/schemas/response-ratelimiting/3.8.x.json +++ b/schemas/response-ratelimiting/3.8.x.json @@ -1,45 +1,8 @@ { - "entity_checks": [ - { - "conditional": { - "then_field": "config.redis.host", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.port", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - }, - { - "conditional": { - "then_field": "config.redis.timeout", - "if_match": { - "eq": "redis" - }, - "then_match": { - "required": true - }, - "if_field": "config.policy" - } - } - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -56,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -73,152 +35,147 @@ "fields": [ { "header_name": { - "default": "x-kong-limit", + "description": "The name of the response header used to increment the counters.", "type": "string", - "description": "The name of the response header used to increment the counters." + "default": "x-kong-limit" } }, { "limit_by": { + "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`.", "type": "string", "default": "consumer", "one_of": [ "consumer", "credential", "ip" - ], - "description": "The entity that will be used when aggregating the limits: `consumer`, `credential`, `ip`. If the `consumer` or the `credential` cannot be determined, the system will always fallback to `ip`." + ] } }, { "policy": { + "description": "The rate-limiting policies to use for retrieving and incrementing the limits.", "type": "string", "default": "local", "one_of": [ "local", "cluster", "redis" - ], - "description": "The rate-limiting policies to use for retrieving and incrementing the limits." + ] } }, { "fault_tolerant": { + "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors.", "required": true, - "default": true, "type": "boolean", - "description": "A boolean value that determines if the requests should be proxied even if Kong has troubles connecting a third-party datastore. If `true`, requests will be proxied anyway, effectively disabling the rate-limiting function until the datastore is working again. If `false`, then the clients will see `500` errors." + "default": true } }, { "redis": { + "description": "Redis configuration", + "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 6379 } }, { "timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { - "referenceable": true, + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "len_min": 0, "type": "string", - "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true, + "encrypted": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "ssl": { - "required": false, - "default": false, + "description": "If set to true, uses SSL to connect to Redis.", "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "required": false, + "default": false } }, { "ssl_verify": { - "required": false, - "default": false, + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "required": false, + "default": false } }, { "server_name": { - "required": false, "description": "A string representing an SNI (server name indication) value for TLS.", + "required": false, "type": "string" } } ], - "description": "Redis configuration", - "required": true, - "type": "record" + "required": true } }, { "block_on_first_violation": { + "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too.", "required": true, - "default": false, "type": "boolean", - "description": "A boolean value that determines if the requests should be blocked as soon as one limit is being exceeded. This will block requests that are supposed to consume other limits too." + "default": false } }, { "hide_client_headers": { + "description": "Optionally hide informative response headers.", "required": true, - "default": false, "type": "boolean", - "description": "Optionally hide informative response headers." + "default": false } }, { "limits": { - "required": true, - "keys": { - "type": "string" - }, + "description": "A map that defines rate limits for the plugin.", "len_min": 1, - "type": "map", "values": { - "required": true, "fields": [ { "second": { @@ -257,6 +214,7 @@ } } ], + "required": true, "entity_checks": [ { "at_least_one_of": [ @@ -271,132 +229,246 @@ ], "type": "record" }, - "description": "A map that defines rate limits for the plugin." + "keys": { + "type": "string" + }, + "type": "map", + "required": true } } ], - "required": true, + "type": "record", "shorthand_fields": [ { "redis_host": { - "deprecation": { - "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "redis", "host" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "response-ratelimiting: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } } }, { "redis_port": { - "deprecation": { - "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "redis", "port" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "response-ratelimiting: config.redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } } }, { "redis_password": { - "deprecation": { - "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, "len_min": 0, + "type": "string", "translate_backwards": [ "redis", "password" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "response-ratelimiting: config.redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } } }, { "redis_username": { - "deprecation": { - "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "redis", "username" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "response-ratelimiting: config.redis_username is deprecated, please use config.redis.username instead", + "removal_in_version": "4.0" + } } }, { "redis_ssl": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, + "type": "boolean", "translate_backwards": [ "redis", "ssl" ], - "type": "boolean" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "response-ratelimiting: config.redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } } }, { "redis_ssl_verify": { - "deprecation": { - "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, + "type": "boolean", "translate_backwards": [ "redis", "ssl_verify" ], - "type": "boolean" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "response-ratelimiting: config.redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } } }, { "redis_server_name": { - "deprecation": { - "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, + "type": "string", "translate_backwards": [ "redis", "server_name" ], - "type": "string" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "response-ratelimiting: config.redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } } }, { "redis_timeout": { - "deprecation": { - "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "redis", "timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "timeout" + ] + } + ], + "message": "response-ratelimiting: config.redis_timeout is deprecated, please use config.redis.timeout instead", + "removal_in_version": "4.0" + } } }, { "redis_database": { - "deprecation": { - "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "redis", "database" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "database" + ] + } + ], + "message": "response-ratelimiting: config.redis_database is deprecated, please use config.redis.database instead", + "removal_in_version": "4.0" + } } } ], - "type": "record" + "required": true + } + } + ], + "entity_checks": [ + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.host", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.port", + "then_match": { + "required": true + } + } + }, + { + "conditional": { + "if_field": "config.policy", + "if_match": { + "eq": "redis" + }, + "then_field": "config.redis.timeout", + "then_match": { + "required": true + } } } ] diff --git a/schemas/response-transformer-advanced/3.8.x.json b/schemas/response-transformer-advanced/3.8.x.json index 29ea518..1d32331 100644 --- a/schemas/response-transformer-advanced/3.8.x.json +++ b/schemas/response-transformer-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -33,40 +30,40 @@ "fields": [ { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -74,30 +71,30 @@ "fields": [ { "headers": { + "type": "array", "default": [ ], "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -105,23 +102,24 @@ "fields": [ { "body": { - "type": "string", - "description": "String with which to replace the entire response body." + "description": "String with which to replace the entire response body.", + "type": "string" } }, { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -132,35 +130,34 @@ "number", "string" ] - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -168,17 +165,18 @@ "fields": [ { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -189,35 +187,34 @@ "number", "string" ] - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -225,17 +222,18 @@ "fields": [ { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "type": "array", "default": [ ], @@ -246,35 +244,34 @@ "number", "string" ] - }, - "type": "array" + } } }, { "headers": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -282,15 +279,15 @@ "fields": [ { "json": { + "type": "set", "elements": { "type": "string" - }, - "type": "set" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -298,53 +295,56 @@ "fields": [ { "functions": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "if_status": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } }, { "json": { + "type": "array", "default": [ ], "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { "dots_in_keys": { - "default": true, + "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects..", "type": "boolean", - "description": "Whether dots (for example, `customers.info.phone`) should be treated as part of a property name or used to descend into nested JSON objects.." + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/response-transformer/3.8.x.json b/schemas/response-transformer/3.8.x.json index 8a18c97..0219110 100644 --- a/schemas/response-transformer/3.8.x.json +++ b/schemas/response-transformer/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,8 +19,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -33,31 +30,31 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -65,33 +62,33 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -99,19 +96,20 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -124,26 +122,25 @@ "type": "array", "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -151,19 +148,20 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -176,26 +174,25 @@ "type": "array", "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -203,19 +200,20 @@ "fields": [ { "json": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } }, { "json_types": { + "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string.", "required": true, "elements": { "type": "string", @@ -228,32 +226,34 @@ "type": "array", "default": [ - ], - "description": "List of JSON type names. Specify the types of the JSON values returned when appending\nJSON properties. Each string element can be one of: boolean, number, or string." + ] } }, { "headers": { - "required": true, "default": [ ], + "required": true, + "type": "array", "elements": { "match": "^[^:]+:.*$", "type": "string" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-by-header/3.8.x.json b/schemas/route-by-header/3.8.x.json index f677e3c..df00254 100644 --- a/schemas/route-by-header/3.8.x.json +++ b/schemas/route-by-header/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -39,6 +36,7 @@ { "rules": { "description": "Route by header rules.", + "type": "array", "default": [ ], @@ -46,33 +44,35 @@ "fields": [ { "upstream_name": { - "required": true, - "type": "string" + "type": "string", + "required": true } }, { "condition": { - "required": true, "len_min": 1, - "type": "map", "values": { "type": "string" }, "keys": { "type": "string" - } + }, + "type": "map", + "required": true } } ], "type": "record" - }, - "type": "array" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/route-transformer-advanced/3.8.x.json b/schemas/route-transformer-advanced/3.8.x.json index b21a71d..76ec77f 100644 --- a/schemas/route-transformer-advanced/3.8.x.json +++ b/schemas/route-transformer-advanced/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -58,7 +55,7 @@ } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -68,8 +65,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/saml/3.8.x.json b/schemas/saml/3.8.x.json index 2e0448a..1815727 100644 --- a/schemas/saml/3.8.x.json +++ b/schemas/saml/3.8.x.json @@ -1,24 +1,16 @@ { - "entity_checks": [ - { - "custom_entity_check": { - "field_sources": [ - "config" - ] - } - } - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -35,1140 +27,1299 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "config": { - "required": true, - "shorthand_fields": [ + "fields": [ { - "session_cookie_lifetime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" + "assertion_consumer_path": { + "match_none": [ + { + "pattern": "//", + "err": "must not have empty segments" + } + ], + "required": true, + "starts_with": "/", + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." } }, { - "session_cookie_idletime": { - "deprecation": { - "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", - "removal_in_version": "4.0" - }, - "type": "number" + "idp_sso_url": { + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "required": true, + "type": "string" } }, { - "session_cookie_samesite": { - "deprecation": { - "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", - "removal_in_version": "4.0" - }, - "type": "string" + "idp_certificate": { + "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_cookie_httponly": { - "deprecation": { - "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", - "removal_in_version": "4.0" - }, - "type": "boolean" + "response_encryption_key": { + "description": "The private encryption key required to decrypt encrypted assertions.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_memcache_prefix": { - "deprecation": { - "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", - "removal_in_version": "4.0" - }, - "type": "string" + "request_signing_key": { + "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_memcache_socket": { - "deprecation": { - "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", - "removal_in_version": "4.0" - }, - "type": "string" + "request_signing_certificate": { + "description": "The certificate for signing requests.", + "required": false, + "type": "string", + "encrypted": true, + "referenceable": true } }, { - "session_memcache_host": { - "deprecation": { - "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", - "removal_in_version": "4.0" - }, - "type": "string" + "request_signature_algorithm": { + "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string", + "default": "SHA256" } }, { - "session_memcache_port": { - "deprecation": { - "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", - "removal_in_version": "4.0" - }, - "type": "integer" + "request_digest_algorithm": { + "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ], + "type": "string", + "default": "SHA256" } }, { - "session_cookie_renew": { - "deprecation": { - "message": "openid-connect: config.session_cookie_renew option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "number" + "response_signature_algorithm": { + "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`", + "required": false, + "one_of": [ + "SHA256", + "SHA384", + "SHA512" + ], + "type": "string", + "default": "SHA256" } }, { - "session_cookie_maxsize": { - "deprecation": { - "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "integer" + "response_digest_algorithm": { + "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`", + "required": false, + "one_of": [ + "SHA256", + "SHA1" + ], + "type": "string", + "default": "SHA256" } }, { - "session_strategy": { - "deprecation": { - "message": "openid-connect: config.session_strategy option does not exist anymore", - "removal_in_version": "4.0" - }, + "issuer": { + "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", + "required": true, "type": "string" } }, { - "session_compressor": { - "deprecation": { - "message": "openid-connect: config.session_compressor option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "string" + "nameid_format": { + "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`", + "required": false, + "one_of": [ + "Unspecified", + "EmailAddress", + "Persistent", + "Transient" + ], + "type": "string", + "default": "EmailAddress" } }, { - "session_auth_ttl": { - "deprecation": { - "message": "openid-connect: config.session_auth_ttl option does not exist anymore", - "removal_in_version": "4.0" - }, - "type": "number" + "validate_assertion_signature": { + "description": "Enable signature validation for SAML responses.", + "required": false, + "type": "boolean", + "default": true } }, { - "session_redis_prefix": { - "deprecation": { - "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "prefix" - ], + "anonymous": { + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", + "required": false, "type": "string" } }, { - "session_redis_socket": { - "deprecation": { - "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "socket" - ], - "type": "string" + "session_secret": { + "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange.", + "required": true, + "len_max": 32, + "match": "^[0-9a-zA-Z/_+]+$", + "referenceable": true, + "type": "string", + "len_min": 32, + "encrypted": true } }, { - "session_redis_host": { - "deprecation": { - "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "host" - ], - "type": "string" + "session_audience": { + "description": "The session audience, for example \"my-application\"", + "required": false, + "type": "string", + "default": "default" } }, { - "session_redis_port": { - "deprecation": { - "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "port" - ], - "type": "integer" + "session_cookie_name": { + "description": "The session cookie name.", + "required": false, + "type": "string", + "default": "session" } }, { - "session_redis_username": { - "deprecation": { - "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "username" - ], - "type": "string" + "session_remember": { + "description": "Enables or disables persistent sessions", + "required": false, + "type": "boolean", + "default": false } }, { - "session_redis_password": { - "deprecation": { - "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "password" - ], - "type": "string" + "session_remember_cookie_name": { + "description": "Persistent session cookie name", + "required": false, + "type": "string", + "default": "remember" } }, { - "session_redis_connect_timeout": { - "deprecation": { - "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "connect_timeout" - ], - "type": "integer" - } - }, - { - "session_redis_read_timeout": { - "deprecation": { - "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "read_timeout" - ], - "type": "integer" - } - }, - { - "session_redis_send_timeout": { - "deprecation": { - "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "send_timeout" - ], - "type": "integer" - } - }, - { - "session_redis_ssl": { - "deprecation": { - "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl" - ], - "type": "boolean" + "session_remember_rolling_timeout": { + "description": "Persistent session rolling timeout in seconds.", + "required": false, + "type": "number", + "default": 604800 } }, { - "session_redis_ssl_verify": { - "deprecation": { - "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "ssl_verify" - ], - "type": "boolean" + "session_remember_absolute_timeout": { + "description": "Persistent session absolute timeout in seconds.", + "required": false, + "type": "number", + "default": 2592000 } }, { - "session_redis_server_name": { - "deprecation": { - "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "server_name" - ], - "type": "string" + "session_idling_timeout": { + "description": "The session cookie idle time in seconds.", + "required": false, + "type": "number", + "default": 900 } }, { - "session_redis_cluster_nodes": { - "deprecation": { - "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", - "removal_in_version": "4.0" - }, - "elements": { - "fields": [ - { - "ip": { - "required": true, - "default": "127.0.0.1", - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - } - ], - "type": "record" - }, - "translate_backwards": [ - "redis", - "cluster_nodes" - ], - "type": "array" + "session_rolling_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number", + "default": 3600 } }, { - "session_redis_cluster_max_redirections": { - "deprecation": { - "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], - "type": "integer" + "session_absolute_timeout": { + "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", + "required": false, + "type": "number", + "default": 86400 } }, { - "session_redis_cluster_maxredirections": { - "deprecation": { - "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", - "removal_in_version": "4.0" - }, - "translate_backwards": [ - "redis", - "cluster_max_redirections" - ], - "type": "integer" - } - } - ], - "fields": [ - { - "assertion_consumer_path": { - "required": true, + "session_cookie_path": { "match_none": [ { "pattern": "//", "err": "must not have empty segments" } ], - "type": "string", + "required": false, "starts_with": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." + "type": "string", + "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes).", + "default": "/" } }, { - "idp_sso_url": { - "required": true, - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "session_cookie_domain": { + "description": "The session cookie domain flag.", + "required": false, "type": "string" } }, { - "idp_certificate": { + "session_cookie_same_site": { + "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks.", "required": false, - "referenceable": true, + "one_of": [ + "Strict", + "Lax", + "None", + "Default" + ], "type": "string", - "encrypted": true, - "description": "The public certificate provided by the IdP. This is used to validate responses from the IdP. Only include the contents of the certificate. Do not include the header (`BEGIN CERTIFICATE`) and footer (`END CERTIFICATE`) lines." + "default": "Lax" } }, { - "response_encryption_key": { + "session_cookie_http_only": { + "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The private encryption key required to decrypt encrypted assertions." + "type": "boolean", + "default": true } }, { - "request_signing_key": { + "session_cookie_secure": { + "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The private key for signing requests. If this parameter is set, requests sent to the IdP are signed. The `request_signing_certificate` parameter must be set as well." + "type": "boolean" } }, { - "request_signing_certificate": { - "required": false, - "referenceable": true, - "type": "string", - "encrypted": true, - "description": "The certificate for signing requests." + "session_request_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { - "request_signature_algorithm": { - "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ], - "description": "The signature algorithm for signing Authn requests. Options available are: - `SHA256` - `SHA384` - `SHA512`" + "session_response_headers": { + "type": "set", + "elements": { + "type": "string", + "one_of": [ + "id", + "audience", + "subject", + "timeout", + "idling-timeout", + "rolling-timeout", + "absolute-timeout" + ] + } } }, { - "request_digest_algorithm": { + "session_storage": { + "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis", "required": false, - "type": "string", - "default": "SHA256", "one_of": [ - "SHA256", - "SHA1" + "cookie", + "memcache", + "memcached", + "redis" ], - "description": "The digest algorithm for Authn requests: - `SHA256` - `SHA1`" + "type": "string", + "default": "cookie" } }, { - "response_signature_algorithm": { + "session_store_metadata": { + "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA384", - "SHA512" - ], - "description": "The algorithm for validating signatures in SAML responses. Options available are: - `SHA256` - `SHA384` - `SHA512`" + "type": "boolean", + "default": false } }, { - "response_digest_algorithm": { + "session_enforce_same_subject": { + "description": "When set to `true`, audiences are forced to share the same subject.", "required": false, - "type": "string", - "default": "SHA256", - "one_of": [ - "SHA256", - "SHA1" - ], - "description": "The algorithm for verifying digest in SAML responses: - `SHA256` - `SHA1`" + "type": "boolean", + "default": false } }, { - "issuer": { - "required": true, - "description": "The unique identifier of the IdP application. Formatted as a URL containing information about the IdP so the SP can validate that the SAML assertions it receives are issued from the correct IdP.", - "type": "string" + "session_hash_subject": { + "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", + "required": false, + "type": "boolean", + "default": false } }, { - "nameid_format": { + "session_hash_storage_key": { + "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", "required": false, - "type": "string", - "default": "EmailAddress", - "one_of": [ - "Unspecified", - "EmailAddress", - "Persistent", - "Transient" - ], - "description": "The requested `NameId` format. Options available are: - `Unspecified` - `EmailAddress` - `Persistent` - `Transient`" - } - }, - { - "validate_assertion_signature": { - "required": false, - "default": true, - "description": "Enable signature validation for SAML responses.", - "type": "boolean" - } - }, - { - "anonymous": { - "required": false, - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer. If not set, a Kong Consumer must exist for the SAML IdP user credentials, mapping the username format to the Kong Consumer username.", - "type": "string" - } - }, - { - "session_secret": { - "required": true, - "referenceable": true, - "match": "^[0-9a-zA-Z/_+]+$", - "type": "string", - "len_max": 32, - "len_min": 32, - "encrypted": true, - "description": "The session secret. This must be a random string of 32 characters from the base64 alphabet (letters, numbers, `/`, `_` and `+`). It is used as the secret key for encrypting session data as well as state information that is sent to the IdP in the authentication exchange." - } - }, - { - "session_audience": { - "required": false, - "default": "default", - "description": "The session audience, for example \"my-application\"", - "type": "string" - } - }, - { - "session_cookie_name": { - "required": false, - "default": "session", - "description": "The session cookie name.", - "type": "string" - } - }, - { - "session_remember": { - "required": false, - "default": false, - "description": "Enables or disables persistent sessions", - "type": "boolean" - } - }, - { - "session_remember_cookie_name": { - "required": false, - "default": "remember", - "description": "Persistent session cookie name", - "type": "string" - } - }, - { - "session_remember_rolling_timeout": { - "required": false, - "default": 604800, - "description": "Persistent session rolling timeout in seconds.", - "type": "number" - } - }, - { - "session_remember_absolute_timeout": { - "required": false, - "default": 2592000, - "description": "Persistent session absolute timeout in seconds.", - "type": "number" - } - }, - { - "session_idling_timeout": { - "required": false, - "default": 900, - "description": "The session cookie idle time in seconds.", - "type": "number" - } - }, - { - "session_rolling_timeout": { - "required": false, - "default": 3600, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" - } - }, - { - "session_absolute_timeout": { - "required": false, - "default": 86400, - "description": "The session cookie absolute timeout in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" - } - }, - { - "session_cookie_path": { - "required": false, - "match_none": [ - { - "pattern": "//", - "err": "must not have empty segments" - } - ], - "type": "string", - "starts_with": "/", - "default": "/", - "description": "A string representing a URL path, such as /path/to/resource. Must start with a forward slash (/) and must not contain empty segments (i.e., two consecutive forward slashes)." - } - }, - { - "session_cookie_domain": { - "required": false, - "description": "The session cookie domain flag.", - "type": "string" - } - }, - { - "session_cookie_same_site": { - "required": false, - "type": "string", - "default": "Lax", - "one_of": [ - "Strict", - "Lax", - "None", - "Default" - ], - "description": "Controls whether a cookie is sent with cross-origin requests, providing some protection against cross-site request forgery attacks." - } - }, - { - "session_cookie_http_only": { - "required": false, - "default": true, - "description": "Forbids JavaScript from accessing the cookie, for example, through the `Document.cookie` property.", - "type": "boolean" - } - }, - { - "session_cookie_secure": { - "required": false, - "description": "The cookie is only sent to the server when a request is made with the https:scheme (except on localhost), and therefore is more resistant to man-in-the-middle attacks.", - "type": "boolean" - } - }, - { - "session_request_headers": { - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" - } - }, - { - "session_response_headers": { - "elements": { - "type": "string", - "one_of": [ - "id", - "audience", - "subject", - "timeout", - "idling-timeout", - "rolling-timeout", - "absolute-timeout" - ] - }, - "type": "set" - } - }, - { - "session_storage": { - "required": false, - "type": "string", - "default": "cookie", - "one_of": [ - "cookie", - "memcache", - "memcached", - "redis" - ], - "description": "The session storage for session data: - `cookie`: stores session data with the session cookie. The session cannot be invalidated or revoked without changing the session secret, but is stateless, and doesn't require a database. - `memcached`: stores session data in memcached - `redis`: stores session data in Redis" - } - }, - { - "session_store_metadata": { - "required": false, - "default": false, - "description": "Configures whether or not session metadata should be stored. This includes information about the active sessions for the `specific_audience` belonging to a specific subject.", - "type": "boolean" - } - }, - { - "session_enforce_same_subject": { - "required": false, - "default": false, - "description": "When set to `true`, audiences are forced to share the same subject.", - "type": "boolean" - } - }, - { - "session_hash_subject": { - "required": false, - "default": false, - "description": "When set to `true`, the value of subject is hashed before being stored. Only applies when `session_store_metadata` is enabled.", - "type": "boolean" - } - }, - { - "session_hash_storage_key": { - "required": false, - "default": false, - "description": "When set to `true`, the storage key (session ID) is hashed for extra security. Hashing the storage key means it is impossible to decrypt data from the storage without a cookie.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "session_memcached_prefix": { - "required": false, "description": "The memcached session key prefix.", + "required": false, "type": "string" } }, { "session_memcached_socket": { - "required": false, "description": "The memcached unix socket path.", + "required": false, "type": "string" } }, { "session_memcached_host": { - "required": false, - "default": "127.0.0.1", "description": "The memcached host.", - "type": "string" + "required": false, + "type": "string", + "default": "127.0.0.1" } }, { "session_memcached_port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "required": false, - "type": "integer", "between": [ 0, 65535 ], - "default": 11211, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "type": "integer", + "default": 11211 } }, { "redis": { - "required": true, - "entity_checks": [ + "fields": [ { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] + "host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { - "mutually_exclusive_sets": { - "set2": [ - "cluster_nodes" - ], - "set1": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 ] } }, { - "mutually_exclusive_sets": { - "set2": [ - "host", - "port" + "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", + "between": [ + 0, + 2147483646 ], - "set1": [ - "cluster_nodes" - ] - } - }, - { - "mutually_required": [ - "sentinel_master", - "sentinel_role", - "sentinel_nodes" - ] - }, - { - "mutually_required": [ - "host", - "port" - ] - }, - { - "mutually_required": [ - "connect_timeout", - "send_timeout", - "read_timeout" - ] - }, - { - "conditional": { - "then_field": "host", - "if_field": "connection_is_proxied", - "then_match": { - "required": true - }, - "if_match": { - "eq": true - } - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "database", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "cluster_nodes", - "connection_is_proxied" - ] - } - }, - { - "custom_entity_check": { - "run_with_missing_fields": true, - "field_sources": [ - "sentinel_role", - "connection_is_proxied" - ] - } - } - ], - "type": "record", - "fields": [ - { - "host": { - "description": "A string representing a host name, such as example.com.", - "type": "string" - } - }, - { - "port": { - "between": [ - 0, - 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" - } - }, - { - "connect_timeout": { - "between": [ - 0, - 2147483646 - ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { - "referenceable": true, + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "referenceable": true } }, { "sentinel_username": { - "referenceable": true, + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "referenceable": true, "encrypted": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "referenceable": true } }, { "database": { - "default": 0, + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "type": "integer", - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", - "type": "integer" + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", - "type": "string" + ] } }, { "sentinel_nodes": { + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "host": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "len_min": 1 } }, { "cluster_nodes": { + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, "elements": { "fields": [ { "ip": { - "required": true, - "default": "127.0.0.1", "description": "A string representing a host name, such as example.com.", - "type": "string" + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "type": "integer", - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } ], "type": "record" }, - "len_min": 1, "type": "array", - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "len_min": 1 } }, { "ssl": { + "description": "If set to true, uses SSL to connect to Redis.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, uses SSL to connect to Redis." + "default": false } }, { "ssl_verify": { + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", "required": false, - "default": false, "type": "boolean", - "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + "default": false } }, { "server_name": { - "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", "type": "string", - "description": "A string representing an SNI (server name indication) value for TLS." + "required": false } }, { "cluster_max_redirections": { - "required": false, - "default": 5, "description": "Maximum retry attempts for redirection.", - "type": "integer" + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", "required": false, - "default": false, "type": "boolean", - "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + "default": false } }, { "prefix": { - "required": false, "description": "The Redis session key prefix.", + "required": false, "type": "string" } }, { "socket": { - "required": false, "description": "The Redis unix socket path.", + "required": false, "type": "string" } } ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "then_match": { + "required": true + }, + "if_match": { + "eq": true + }, + "then_field": "host" + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ], "shorthand_fields": [ { "timeout": { - "deprecation": { - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", - "removal_in_version": "4.0" - }, + "type": "integer", "translate_backwards": [ "connect_timeout" ], - "type": "integer" + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } }, { "cluster_addresses": { "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], "message": "cluster_addresses is deprecated, please use cluster_nodes instead", "removal_in_version": "4.0" }, + "len_min": 1, "type": "array", "elements": { "type": "string" - }, - "len_min": 1 + } } } - ] + ], + "required": true, + "type": "record" } } ], - "type": "record" + "required": true, + "shorthand_fields": [ + { + "session_cookie_lifetime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_lifetime is deprecated, please use config.session_rolling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_idletime": { + "deprecation": { + "message": "openid-connect: config.session_cookie_idletime is deprecated, please use config.session_idling_timeout instead", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_samesite": { + "deprecation": { + "message": "openid-connect: config.session_cookie_samesite is deprecated, please use config.session_cookie_same_site instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_cookie_httponly": { + "deprecation": { + "message": "openid-connect: config.session_cookie_httponly is deprecated, please use config.session_cookie_http_only instead", + "removal_in_version": "4.0" + }, + "type": "boolean" + } + }, + { + "session_memcache_prefix": { + "deprecation": { + "message": "openid-connect: config.session_memcache_prefix is deprecated, please use config.session_memcached_prefix instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_socket": { + "deprecation": { + "message": "openid-connect: config.session_memcache_socket is deprecated, please use config.session_memcached_socket instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_host": { + "deprecation": { + "message": "openid-connect: config.session_memcache_host is deprecated, please use config.session_memcached_host instead", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_memcache_port": { + "deprecation": { + "message": "openid-connect: config.session_memcache_port is deprecated, please use config.session_memcached_port instead", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_cookie_renew": { + "deprecation": { + "message": "openid-connect: config.session_cookie_renew option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_cookie_maxsize": { + "deprecation": { + "message": "openid-connect: config.session_cookie_maxsize option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "integer" + } + }, + { + "session_strategy": { + "deprecation": { + "message": "openid-connect: config.session_strategy option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_compressor": { + "deprecation": { + "message": "openid-connect: config.session_compressor option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "string" + } + }, + { + "session_auth_ttl": { + "deprecation": { + "message": "openid-connect: config.session_auth_ttl option does not exist anymore", + "removal_in_version": "4.0" + }, + "type": "number" + } + }, + { + "session_redis_prefix": { + "type": "string", + "translate_backwards": [ + "redis", + "prefix" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "prefix" + ] + } + ], + "message": "saml: config.session_redis_prefix is deprecated, please use config.redis.prefix instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_socket": { + "type": "string", + "translate_backwards": [ + "redis", + "socket" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "socket" + ] + } + ], + "message": "saml: config.session_redis_socket is deprecated, please use config.redis.socket instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_host": { + "type": "string", + "translate_backwards": [ + "redis", + "host" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "host" + ] + } + ], + "message": "saml: config.session_redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_port": { + "type": "integer", + "translate_backwards": [ + "redis", + "port" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "port" + ] + } + ], + "message": "saml: config.session_redis_port is deprecated, please use config.redis.port instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_username": { + "type": "string", + "translate_backwards": [ + "redis", + "username" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "username" + ] + } + ], + "message": "saml: config.redis_host is deprecated, please use config.redis.host instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_password": { + "type": "string", + "translate_backwards": [ + "redis", + "password" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "password" + ] + } + ], + "message": "saml: config.session_redis_password is deprecated, please use config.redis.password instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_connect_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "connect_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "connect_timeout" + ] + } + ], + "message": "saml: config.session_redis_connect_timeout is deprecated, please use config.redis.connect_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_read_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "read_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "read_timeout" + ] + } + ], + "message": "saml: config.session_redis_read_timeout is deprecated, please use config.redis.read_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_send_timeout": { + "type": "integer", + "translate_backwards": [ + "redis", + "send_timeout" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "send_timeout" + ] + } + ], + "message": "saml: config.session_redis_send_timeout is deprecated, please use config.redis.send_timeout instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl" + ] + } + ], + "message": "saml: config.session_redis_ssl is deprecated, please use config.redis.ssl instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_ssl_verify": { + "type": "boolean", + "translate_backwards": [ + "redis", + "ssl_verify" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "ssl_verify" + ] + } + ], + "message": "saml: config.session_redis_ssl_verify is deprecated, please use config.redis.ssl_verify instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_server_name": { + "type": "string", + "translate_backwards": [ + "redis", + "server_name" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "server_name" + ] + } + ], + "message": "saml: config.session_redis_server_name is deprecated, please use config.redis.server_name instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_nodes": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_nodes" + ] + } + ], + "message": "saml: config.session_redis_cluster_nodes is deprecated, please use config.redis.cluster_nodes instead", + "removal_in_version": "4.0" + }, + "type": "array", + "translate_backwards": [ + "redis", + "cluster_nodes" + ], + "elements": { + "fields": [ + { + "ip": { + "description": "A string representing a host name, such as example.com.", + "required": true, + "type": "string", + "default": "127.0.0.1" + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ], + "default": 6379 + } + } + ], + "type": "record" + } + } + }, + { + "session_redis_cluster_max_redirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "saml: config.session_redis_cluster_max_redirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + }, + { + "session_redis_cluster_maxredirections": { + "type": "integer", + "translate_backwards": [ + "redis", + "cluster_max_redirections" + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "redis", + "cluster_max_redirections" + ] + } + ], + "message": "saml: config.session_redis_cluster_maxredirections is deprecated, please use config.redis.cluster_max_redirections instead", + "removal_in_version": "4.0" + } + } + } + ], + "type": "record" + } + } + ], + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] } } ] diff --git a/schemas/session/3.8.x.json b/schemas/session/3.8.x.json index 4bd0b51..decea8f 100644 --- a/schemas/session/3.8.x.json +++ b/schemas/session/3.8.x.json @@ -1,20 +1,20 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -26,9 +26,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -36,15 +34,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -53,137 +50,138 @@ "fields": [ { "secret": { + "description": "The secret that is used in keyed HMAC generation.", "required": false, "referenceable": true, "type": "string", - "default": "jJoUL7vTfOhDYLGGEM4Dwk8E8Ahh3KwRHsDVdtqtOYIc", "encrypted": true, - "description": "The secret that is used in keyed HMAC generation." + "default": "7iK18YEanf6i9XHvNwzx4RpdmHdRN6nSpPxC1uQxfsse" } }, { "storage": { "description": "Determines where the session data is stored. `kong`: Stores encrypted session data into Kong's current database strategy; the cookie will not contain any session data. `cookie`: Stores encrypted session data within the cookie itself.", + "type": "string", "default": "cookie", "one_of": [ "cookie", "kong" - ], - "type": "string" + ] } }, { "audience": { - "default": "default", "description": "The session audience, which is the intended target application. For example `\"my-application\"`.", - "type": "string" + "type": "string", + "default": "default" } }, { "idling_timeout": { - "default": 900, "description": "The session cookie idle time, in seconds.", - "type": "number" + "type": "number", + "default": 900 } }, { "rolling_timeout": { - "default": 3600, "description": "The session cookie rolling timeout, in seconds. Specifies how long the session can be used until it needs to be renewed.", - "type": "number" + "type": "number", + "default": 3600 } }, { "absolute_timeout": { - "default": 86400, "description": "The session cookie absolute timeout, in seconds. Specifies how long the session can be used until it is no longer valid.", - "type": "number" + "type": "number", + "default": 86400 } }, { "stale_ttl": { - "default": 10, "description": "The duration, in seconds, after which an old cookie is discarded, starting from the moment when the session becomes outdated and is replaced by a new one.", - "type": "number" + "type": "number", + "default": 10 } }, { "cookie_name": { - "default": "session", "description": "The name of the cookie.", - "type": "string" + "type": "string", + "default": "session" } }, { "cookie_path": { - "default": "/", "description": "The resource in the host where the cookie is available.", - "type": "string" + "type": "string", + "default": "/" } }, { "cookie_domain": { - "type": "string", - "description": "The domain with which the cookie is intended to be exchanged." + "description": "The domain with which the cookie is intended to be exchanged.", + "type": "string" } }, { "cookie_same_site": { "description": "Determines whether and how a cookie may be sent with cross-site requests.", + "type": "string", "default": "Strict", "one_of": [ "Strict", "Lax", "None", "Default" - ], - "type": "string" + ] } }, { "cookie_http_only": { - "default": true, "description": "Applies the `HttpOnly` tag so that the cookie is sent only to a server.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "cookie_secure": { - "default": true, "description": "Applies the Secure directive so that the cookie may be sent to the server only with an encrypted request over the HTTPS protocol.", - "type": "boolean" + "type": "boolean", + "default": true } }, { "remember": { - "default": false, "description": "Enables or disables persistent sessions.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "remember_cookie_name": { - "default": "remember", "description": "Persistent session cookie name. Use with the `remember` configuration parameter.", - "type": "string" + "type": "string", + "default": "remember" } }, { "remember_rolling_timeout": { - "default": 604800, "description": "The persistent session rolling timeout window, in seconds.", - "type": "number" + "type": "number", + "default": 604800 } }, { "remember_absolute_timeout": { - "default": 2592000, "description": "The persistent session absolute timeout limit, in seconds.", - "type": "number" + "type": "number", + "default": 2592000 } }, { "response_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", "elements": { "type": "string", @@ -196,12 +194,12 @@ "rolling-timeout", "absolute-timeout" ] - }, - "description": "List of information to include, as headers, in the response to the downstream." + } } }, { "request_headers": { + "description": "List of information to include, as headers, in the response to the downstream.", "type": "set", "elements": { "type": "string", @@ -214,8 +212,7 @@ "rolling-timeout", "absolute-timeout" ] - }, - "description": "List of information to include, as headers, in the response to the downstream." + } } }, { @@ -226,11 +223,8 @@ }, { "logout_methods": { + "description": "A set of HTTP methods that the plugin will respond to.", "type": "set", - "default": [ - "POST", - "DELETE" - ], "elements": { "type": "string", "one_of": [ @@ -239,25 +233,28 @@ "DELETE" ] }, - "description": "A set of HTTP methods that the plugin will respond to." + "default": [ + "POST", + "DELETE" + ] } }, { "logout_query_arg": { - "default": "session_logout", "description": "The query argument passed to logout requests.", - "type": "string" + "type": "string", + "default": "session_logout" } }, { "logout_post_arg": { - "default": "session_logout", "description": "The POST argument passed to logout requests. Do not change this property.", - "type": "string" + "type": "string", + "default": "session_logout" } } ], - "required": true, + "type": "record", "shorthand_fields": [ { "cookie_lifetime": { @@ -295,8 +292,11 @@ } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/standard-webhooks/3.8.x.json b/schemas/standard-webhooks/3.8.x.json index 13c1126..c1cb595 100644 --- a/schemas/standard-webhooks/3.8.x.json +++ b/schemas/standard-webhooks/3.8.x.json @@ -1,18 +1,16 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -29,8 +27,7 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { @@ -38,26 +35,29 @@ "fields": [ { "secret_v1": { + "description": "Webhook secret", "required": true, - "referenceable": true, "type": "string", "encrypted": true, - "description": "Webhook secret" + "referenceable": true } }, { "tolerance_second": { - "gt": -1, - "type": "integer", - "default": 300, + "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response.", "required": true, - "description": "Tolerance of the webhook timestamp in seconds. If the webhook timestamp is older than this number of seconds, it will be rejected with a '400' response." + "type": "integer", + "gt": -1, + "default": 300 } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd-advanced/3.8.x.json b/schemas/statsd-advanced/3.8.x.json index 76c8d2a..ed33f15 100644 --- a/schemas/statsd-advanced/3.8.x.json +++ b/schemas/statsd-advanced/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,36 +42,37 @@ "fields": [ { "host": { - "default": "localhost", "description": "A string representing a host name, such as example.com.", - "type": "string" + "type": "string", + "default": "localhost" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", "between": [ 0, 65535 ], - "default": 8125, - "description": "An integer representing a port number between 0 and 65535, inclusive.", - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", + "description": "String to prefix to each metric's name.", "type": "string", - "description": "String to prefix to each metric's name." + "default": "kong" } }, { "metrics": { "description": "List of Metrics to be logged.", + "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_count" }, { @@ -86,8 +84,8 @@ "name": "request_size" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count" }, { @@ -99,8 +97,8 @@ "name": "unique_users" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user" }, { @@ -112,33 +110,33 @@ "name": "kong_latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route" }, { - "sample_rate": 1, "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_hits_total" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_misses_total" } ], @@ -146,6 +144,7 @@ "fields": [ { "name": { + "type": "string", "required": true, "one_of": [ "kong_latency", @@ -163,12 +162,12 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "type": "string" + ] } }, { "stat_type": { + "type": "string", "required": true, "one_of": [ "counter", @@ -177,8 +176,7 @@ "meter", "set", "timer" - ], - "type": "string" + ] } }, { @@ -218,24 +216,25 @@ } } ], + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "stat_type", + "if_field": "name", "if_match": { "one_of": [ "unique_users" ] }, + "then_field": "stat_type", "then_match": { "eq": "set" - }, - "if_field": "name" + } } }, { "conditional": { - "then_field": "stat_type", + "if_field": "name", "if_match": { "one_of": [ "request_count", @@ -248,119 +247,117 @@ "cache_datastore_misses_total" ] }, + "then_field": "stat_type", "then_match": { "eq": "counter" - }, - "if_field": "name" + } } }, { "conditional": { - "then_field": "stat_type", + "if_field": "name", "if_match": { "one_of": [ "shdict_usage" ] }, + "then_field": "stat_type", "then_match": { "eq": "gauge" - }, - "if_field": "name" + } } }, { "conditional": { - "then_field": "sample_rate", + "if_field": "stat_type", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", "then_match": { "required": true - }, - "if_field": "stat_type" + } } } - ], - "type": "record" - }, - "type": "array" + ] + } } }, { "allow_status_codes": { "description": "List of status code ranges that are allowed to be logged in metrics.", + "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, - "type": "array" + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { + "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive).", + "type": "number", "between": [ 0, 65507 ], - "default": 0, - "type": "number", - "description": "Combine UDP packet up to the size configured. If zero (0), don't combine the UDP packet. Must be a number between 0 and 65507 (inclusive)." + "default": 0 } }, { "use_tcp": { - "default": false, + "description": "Use TCP instead of UDP.", "type": "boolean", - "description": "Use TCP instead of UDP." + "default": false } }, { "hostname_in_prefix": { - "default": false, + "description": "Include the `hostname` in the `prefix` for each metric name.", "type": "boolean", - "description": "Include the `hostname` in the `prefix` for each metric name." + "default": false } }, { "consumer_identifier_default": { + "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`.", "required": true, - "type": "string", - "default": "custom_id", "one_of": [ "consumer_id", "custom_id", "username" ], - "description": "The default consumer identifier for metrics. This will take effect when a metric's consumer identifier is omitted. Allowed values are `custom_id`, `consumer_id`, `username`." + "type": "string", + "default": "custom_id" } }, { "service_identifier_default": { + "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`.", "required": true, - "type": "string", - "default": "service_name_or_host", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" ], - "description": "The default service identifier for metrics. This will take effect when a metric's service identifier is omitted. Allowed values are `service_name_or_host`, `service_id`, `service_name`, `service_host`." + "type": "string", + "default": "service_name_or_host" } }, { "workspace_identifier_default": { + "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. ", "required": true, - "type": "string", - "default": "workspace_id", "one_of": [ "workspace_id", "workspace_name" ], - "description": "The default workspace identifier for metrics. This will take effect when a metric's workspace identifier is omitted. Allowed values are `workspace_id`, `workspace_name`. " + "type": "string", + "default": "workspace_id" } }, { @@ -368,92 +365,95 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/statsd/3.8.x.json b/schemas/statsd/3.8.x.json index 2b2e0d1..9d9a047 100644 --- a/schemas/statsd/3.8.x.json +++ b/schemas/statsd/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,102 +42,103 @@ "fields": [ { "host": { - "default": "localhost", "description": "The IP address or hostname of StatsD server to send data to.", - "type": "string" + "type": "string", + "default": "localhost" } }, { "port": { + "description": "The port of StatsD server to send data to.", + "type": "integer", "between": [ 0, 65535 ], - "default": 8125, - "description": "The port of StatsD server to send data to.", - "type": "integer" + "default": 8125 } }, { "prefix": { - "default": "kong", "description": "String to prefix to each metric's name.", - "type": "string" + "type": "string", + "default": "kong" } }, { "metrics": { + "description": "List of metrics to be logged.", "type": "array", "default": [ { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_count" }, { - "name": "latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_size" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "response_size" }, { - "name": "unique_users", - "stat_type": "set" + "stat_type": "set", + "name": "unique_users" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "request_per_user" }, { - "name": "upstream_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "upstream_latency" }, { - "name": "kong_latency", - "stat_type": "timer" + "stat_type": "timer", + "name": "kong_latency" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_workspace" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "status_count_per_user_per_route" }, { - "sample_rate": 1, "stat_type": "gauge", + "sample_rate": 1, "name": "shdict_usage" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_hits_total" }, { - "sample_rate": 1, "stat_type": "counter", + "sample_rate": 1, "name": "cache_datastore_misses_total" } ], @@ -148,6 +146,8 @@ "fields": [ { "name": { + "description": "StatsD metric’s name.", + "type": "string", "required": true, "one_of": [ "kong_latency", @@ -165,13 +165,13 @@ "shdict_usage", "cache_datastore_hits_total", "cache_datastore_misses_total" - ], - "description": "StatsD metric’s name.", - "type": "string" + ] } }, { "stat_type": { + "description": "Determines what sort of event a metric represents.", + "type": "string", "required": true, "one_of": [ "counter", @@ -180,92 +180,89 @@ "meter", "set", "timer" - ], - "description": "Determines what sort of event a metric represents.", - "type": "string" + ] } }, { "sample_rate": { - "gt": 0, "description": "Sampling rate", - "type": "number" + "type": "number", + "gt": 0 } }, { "consumer_identifier": { + "description": "Authenticated user detail.", + "type": "string", "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string", - "description": "Authenticated user detail." + ] } }, { "service_identifier": { + "description": "Service detail.", + "type": "string", "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string", - "description": "Service detail." + ] } }, { "workspace_identifier": { + "description": "Workspace detail.", + "type": "string", "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string", - "description": "Workspace detail." + ] } } ], + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "sample_rate", + "if_field": "stat_type", "if_match": { "one_of": [ "counter", "gauge" ] }, + "then_field": "sample_rate", "then_match": { "required": true - }, - "if_field": "stat_type" + } } } - ], - "type": "record" - }, - "description": "List of metrics to be logged." + ] + } } }, { "allow_status_codes": { + "description": "List of status code ranges that are allowed to be logged in metrics.", "type": "array", "elements": { - "match": "^[0-9]+-[0-9]+$", - "type": "string" - }, - "description": "List of status code ranges that are allowed to be logged in metrics." + "type": "string", + "match": "^[0-9]+-[0-9]+$" + } } }, { "udp_packet_size": { + "type": "number", "between": [ 0, 65507 ], - "default": 0, - "type": "number" + "default": 0 } }, { @@ -282,80 +279,80 @@ }, { "consumer_identifier_default": { - "required": true, "default": "custom_id", + "type": "string", + "required": true, "one_of": [ "consumer_id", "custom_id", "username" - ], - "type": "string" + ] } }, { "service_identifier_default": { - "required": true, "default": "service_name_or_host", + "type": "string", + "required": true, "one_of": [ "service_id", "service_name", "service_host", "service_name_or_host" - ], - "type": "string" + ] } }, { "workspace_identifier_default": { - "required": true, "default": "workspace_id", + "type": "string", + "required": true, "one_of": [ "workspace_id", "workspace_name" - ], - "type": "string" + ] } }, { "retry_count": { + "type": "integer", "deprecation": { + "old_default": 10, "message": "statsd: config.retry_count no longer works, please use config.queue.max_retry_time instead", - "removal_in_version": "4.0", - "old_default": 10 - }, - "type": "integer" + "removal_in_version": "4.0" + } } }, { "queue_size": { + "type": "integer", "deprecation": { + "old_default": 1, "message": "statsd: config.queue_size is deprecated, please use config.queue.max_batch_size instead", - "removal_in_version": "4.0", - "old_default": 1 - }, - "type": "integer" + "removal_in_version": "4.0" + } } }, { "flush_timeout": { + "type": "number", "deprecation": { + "old_default": 2, "message": "statsd: config.flush_timeout is deprecated, please use config.queue.max_coalescing_delay instead", - "removal_in_version": "4.0", - "old_default": 2 - }, - "type": "number" + "removal_in_version": "4.0" + } } }, { "tag_style": { + "type": "string", "required": false, "one_of": [ "dogstatsd", "influxdb", "librato", "signalfx" - ], - "type": "string" + ] } }, { @@ -363,92 +360,95 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/syslog/3.8.x.json b/schemas/syslog/3.8.x.json index 8521cf2..5daf010 100644 --- a/schemas/syslog/3.8.x.json +++ b/schemas/syslog/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,8 +42,9 @@ "fields": [ { "log_level": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -56,14 +54,14 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { "successful_severity": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -73,14 +71,14 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { "client_errors_severity": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -90,14 +88,14 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { "server_errors_severity": { - "required": true, "default": "info", + "required": true, + "type": "string", "one_of": [ "debug", "info", @@ -107,8 +105,7 @@ "crit", "alert", "emerg" - ], - "type": "string" + ] } }, { @@ -117,19 +114,18 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } }, { "facility": { + "description": "The facility is used by the operating system to decide how to handle each log message.", "required": true, - "type": "string", - "default": "user", "one_of": [ "auth", "authpriv", @@ -152,13 +148,17 @@ "local6", "local7" ], - "description": "The facility is used by the operating system to decide how to handle each log message." + "type": "string", + "default": "user" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tcp-log/3.8.x.json b/schemas/tcp-log/3.8.x.json index ec1ef0a..3edb1e1 100644 --- a/schemas/tcp-log/3.8.x.json +++ b/schemas/tcp-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +42,15 @@ "fields": [ { "host": { - "required": true, "description": "The IP address or host name to send data to.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "The port to send data to on the upstream server.", + "required": true, "between": [ 0, 65535 @@ -63,24 +60,24 @@ }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "default": 10000 } }, { "keepalive": { - "default": 60000, "description": "An optional value in milliseconds that defines how long an idle connection lives before being closed.", - "type": "number" + "type": "number", + "default": 60000 } }, { "tls": { - "required": true, - "default": false, "description": "Indicates whether to perform a TLS handshake against the remote server.", - "type": "boolean" + "required": true, + "type": "boolean", + "default": false } }, { @@ -91,22 +88,25 @@ }, { "custom_fields_by_lua": { + "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value.", "type": "map", - "keys": { + "values": { "type": "string", "len_min": 1 }, - "values": { - "len_min": 1, - "type": "string" - }, - "description": "A list of key-value pairs, where the key is the name of a log field and the value is a chunk of Lua code, whose return value sets or replaces the log field value." + "keys": { + "type": "string", + "len_min": 1 + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-handshake-modifier/3.8.x.json b/schemas/tls-handshake-modifier/3.8.x.json index e3e7e4a..0ce0806 100644 --- a/schemas/tls-handshake-modifier/3.8.x.json +++ b/schemas/tls-handshake-modifier/3.8.x.json @@ -1,23 +1,21 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -25,15 +23,14 @@ "grpcs", "tls" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,19 +39,22 @@ "fields": [ { "tls_client_certificate": { + "description": "TLS Client Certificate", "required": false, - "type": "string", - "default": "REQUEST", "one_of": [ "REQUEST" ], - "description": "TLS Client Certificate" + "type": "string", + "default": "REQUEST" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/tls-metadata-headers/3.8.x.json b/schemas/tls-metadata-headers/3.8.x.json index 432788d..70e69c6 100644 --- a/schemas/tls-metadata-headers/3.8.x.json +++ b/schemas/tls-metadata-headers/3.8.x.json @@ -1,23 +1,21 @@ { - "entity_checks": [ - - ], "fields": [ { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "protocols": { - "required": true, "default": [ "https", "grpcs" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ @@ -25,15 +23,14 @@ "grpcs", "tls" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -42,55 +39,58 @@ "fields": [ { "inject_client_cert_details": { - "default": false, + "description": "Enables TLS client certificate metadata values to be injected into HTTP headers.", "type": "boolean", - "description": "Enables TLS client certificate metadata values to be injected into HTTP headers." + "default": false } }, { "client_cert_header_name": { - "required": true, - "default": "X-Client-Cert", + "description": "Define the HTTP header name used for the PEM format URL encoded client certificate.", "type": "string", - "description": "Define the HTTP header name used for the PEM format URL encoded client certificate." + "required": true, + "default": "X-Client-Cert" } }, { "client_serial_header_name": { - "required": true, - "default": "X-Client-Cert-Serial", + "description": "Define the HTTP header name used for the serial number of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the serial number of the client certificate." + "required": true, + "default": "X-Client-Cert-Serial" } }, { "client_cert_issuer_dn_header_name": { - "required": true, - "default": "X-Client-Cert-Issuer-DN", + "description": "Define the HTTP header name used for the issuer DN of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the issuer DN of the client certificate." + "required": true, + "default": "X-Client-Cert-Issuer-DN" } }, { "client_cert_subject_dn_header_name": { - "required": true, - "default": "X-Client-Cert-Subject-DN", + "description": "Define the HTTP header name used for the subject DN of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the subject DN of the client certificate." + "required": true, + "default": "X-Client-Cert-Subject-DN" } }, { "client_cert_fingerprint_header_name": { - "required": true, - "default": "X-Client-Cert-Fingerprint", + "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate.", "type": "string", - "description": "Define the HTTP header name used for the SHA1 fingerprint of the client certificate." + "required": true, + "default": "X-Client-Cert-Fingerprint" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/udp-log/3.8.x.json b/schemas/udp-log/3.8.x.json index 2f09cbc..d8176b5 100644 --- a/schemas/udp-log/3.8.x.json +++ b/schemas/udp-log/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,15 +42,15 @@ "fields": [ { "host": { - "required": true, "description": "A string representing a host name, such as example.com.", + "required": true, "type": "string" } }, { "port": { - "required": true, "description": "An integer representing a port number between 0 and 65535, inclusive.", + "required": true, "between": [ 0, 65535 @@ -63,9 +60,9 @@ }, { "timeout": { - "default": 10000, "description": "An optional timeout in milliseconds when sending data to the upstream server.", - "type": "number" + "type": "number", + "default": 10000 } }, { @@ -74,18 +71,21 @@ "type": "string", "len_min": 1 }, - "description": "Lua code as a key-value map", + "type": "map", "values": { - "len_min": 1, - "type": "string" + "type": "string", + "len_min": 1 }, - "type": "map" + "description": "Lua code as a key-value map" } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/upstream-oauth/3.8.x.json b/schemas/upstream-oauth/3.8.x.json index e36b6a0..cb3d6cd 100644 --- a/schemas/upstream-oauth/3.8.x.json +++ b/schemas/upstream-oauth/3.8.x.json @@ -2,8 +2,8 @@ "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, - "type": "set", "elements": { "type": "string", "one_of": [ @@ -13,539 +13,535 @@ "https" ] }, + "type": "set", "default": [ "grpc", "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "config": { - "type": "record", "fields": [ { "client": { - "type": "record", "fields": [ { "auth_method": { + "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body.", + "required": true, "one_of": [ "client_secret_post", "client_secret_basic", "client_secret_jwt", "none" ], - "required": true, "type": "string", - "default": "client_secret_post", - "description": "The authentication method used in client requests to the IdP. Supported values are: `client_secret_basic` to send `client_id` and `client_secret` in the `Authorization: Basic` header, `client_secret_post` to send `client_id` and `client_secret` as part of the request body, or `client_secret_jwt` to send a JWT signed with the `client_secret` using the client assertion as part of the body." + "default": "client_secret_post" } }, { "client_secret_jwt_alg": { + "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication.", + "required": true, "one_of": [ "HS512", "HS256" ], - "required": true, "type": "string", - "default": "HS512", - "description": "The algorithm to use with JWT when using `client_secret_jwt` authentication." + "default": "HS512" } }, { "http_version": { - "type": "number", "description": "The HTTP version used for requests made by this plugin. Supported values: `1.1` for HTTP 1.1 and `1.0` for HTTP 1.0.", - "default": 1.1, - "required": false + "required": false, + "type": "number", + "default": 1.1 } }, { "http_proxy": { - "type": "string", + "description": "The proxy to use when making HTTP requests to the IdP.", "required": false, - "description": "The proxy to use when making HTTP requests to the IdP." + "type": "string" } }, { "http_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `http_proxy`.", "type": "string", - "required": false, - "description": "The `Proxy-Authorization` header value to be used with `http_proxy`." + "required": false } }, { "https_proxy": { - "type": "string", + "description": "The proxy to use when making HTTPS requests to the IdP.", "required": false, - "description": "The proxy to use when making HTTPS requests to the IdP." + "type": "string" } }, { "https_proxy_authorization": { + "description": "The `Proxy-Authorization` header value to be used with `https_proxy`.", "type": "string", - "required": false, - "description": "The `Proxy-Authorization` header value to be used with `https_proxy`." + "required": false } }, { "no_proxy": { + "description": "A comma-separated list of hosts that should not be proxied.", "type": "string", - "required": false, - "description": "A comma-separated list of hosts that should not be proxied." + "required": false } }, { "timeout": { + "description": "Network I/O timeout for requests to the IdP in milliseconds.", + "required": true, "between": [ 0, 2147483646 ], - "required": true, "type": "integer", - "default": 10000, - "description": "Network I/O timeout for requests to the IdP in milliseconds." + "default": 10000 } }, { "keep_alive": { + "description": "Whether to use keepalive connections to the IdP.", "type": "boolean", "required": true, - "default": true, - "description": "Whether to use keepalive connections to the IdP." + "default": true } }, { "ssl_verify": { + "description": "Whether to verify the certificate presented by the IdP when using HTTPS.", "type": "boolean", "required": false, - "default": false, - "description": "Whether to verify the certificate presented by the IdP when using HTTPS." + "default": false } } ], + "type": "record", "required": true } }, { "oauth": { - "type": "record", "fields": [ { "token_endpoint": { - "type": "string", + "description": "The token endpoint URI.", "required": true, - "description": "The token endpoint URI." + "type": "string" } }, { "token_headers": { + "description": "Extra headers to be passed in the token endpoint request.", "type": "map", "values": { - "referenceable": true, - "type": "string" - }, - "keys": { "type": "string", - "description": "A string representing an HTTP header name." + "referenceable": true }, - "description": "Extra headers to be passed in the token endpoint request." + "keys": { + "description": "A string representing an HTTP header name.", + "type": "string" + } } }, { "token_post_args": { + "description": "Extra post arguments to be passed in the token endpoint request.", "type": "map", "values": { - "referenceable": true, - "type": "string" + "type": "string", + "referenceable": true }, "keys": { "type": "string" - }, - "description": "Extra post arguments to be passed in the token endpoint request." + } } }, { "grant_type": { + "description": "The OAuth grant type to be used.", + "required": true, "one_of": [ "client_credentials", "password" ], - "required": true, "type": "string", - "default": "client_credentials", - "description": "The OAuth grant type to be used." + "default": "client_credentials" } }, { "client_id": { - "encrypted": true, + "description": "The client ID for the application registration in the IdP.", "required": false, "type": "string", "referenceable": true, - "description": "The client ID for the application registration in the IdP." + "encrypted": true } }, { "client_secret": { - "encrypted": true, + "description": "The client secret for the application registration in the IdP.", "required": false, "type": "string", "referenceable": true, - "description": "The client secret for the application registration in the IdP." + "encrypted": true } }, { "username": { - "encrypted": true, + "description": "The username to use if `config.oauth.grant_type` is set to `password`.", "required": false, "type": "string", "referenceable": true, - "description": "The username to use if `config.oauth.grant_type` is set to `password`." + "encrypted": true } }, { "password": { - "encrypted": true, + "description": "The password to use if `config.oauth.grant_type` is set to `password`.", "required": false, "type": "string", "referenceable": true, - "description": "The password to use if `config.oauth.grant_type` is set to `password`." + "encrypted": true } }, { "scopes": { + "description": "List of scopes to request from the IdP when obtaining a new token.", "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ "openid" - ], - "description": "List of scopes to request from the IdP when obtaining a new token." + ] } }, { "audience": { + "description": "List of audiences passed to the IdP when obtaining a new token.", "required": false, - "type": "array", "elements": { "type": "string" }, + "type": "array", "default": [ - ], - "description": "List of audiences passed to the IdP when obtaining a new token." + ] } } ], + "type": "record", "required": true } }, { "cache": { - "type": "record", "fields": [ { "strategy": { + "description": "The method Kong should use to cache tokens issued by the IdP.", + "required": true, "one_of": [ "memory", "redis" ], - "required": true, "type": "string", - "default": "memory", - "description": "The method Kong should use to cache tokens issued by the IdP." + "default": "memory" } }, { "memory": { - "type": "record", "fields": [ { "dictionary_name": { + "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`.", "type": "string", "required": true, - "default": "kong_db_cache", - "description": "The shared dictionary used by the plugin to cache tokens if `config.cache.strategy` is set to `memory`." + "default": "kong_db_cache" } } ], + "type": "record", "required": true } }, { "redis": { - "required": true, - "type": "record", "fields": [ { "host": { - "type": "string", - "description": "A string representing a host name, such as example.com." + "description": "A string representing a host name, such as example.com.", + "type": "string" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 - ], - "description": "An integer representing a port number between 0 and 65535, inclusive." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + "default": 2000 } }, { "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", "type": "string", - "referenceable": true, - "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`." + "referenceable": true } }, { "password": { + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", "type": "string", - "encrypted": true, "referenceable": true, - "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis." + "encrypted": true } }, { "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", "type": "string", - "referenceable": true, - "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+." + "referenceable": true } }, { "sentinel_password": { + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", "type": "string", - "encrypted": true, "referenceable": true, - "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels." + "encrypted": true } }, { "database": { + "description": "Database to use for the Redis connection when using the `redis` strategy", "type": "integer", - "default": 0, - "description": "Database to use for the Redis connection when using the `redis` strategy" + "default": 0 } }, { "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", "type": "integer", "between": [ 1, 2147483646 ], - "default": 256, - "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low." + "default": 256 } }, { "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", "type": "integer", "between": [ 0, 2147483646 - ], - "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`." + ] } }, { "sentinel_master": { - "type": "string", - "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel.", + "type": "string" } }, { "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", "type": "string", "one_of": [ "master", "slave", "any" - ], - "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel." + ] } }, { "sentinel_nodes": { - "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", "required": false, - "type": "array", "elements": { - "type": "record", "fields": [ { "host": { - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } - ] + ], + "type": "record" }, - "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element." + "type": "array", + "len_min": 1 } }, { "cluster_nodes": { - "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", "required": false, - "type": "array", "elements": { - "type": "record", "fields": [ { "ip": { - "type": "string", "description": "A string representing a host name, such as example.com.", - "default": "127.0.0.1", - "required": true + "required": true, + "type": "string", + "default": "127.0.0.1" } }, { "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", "type": "integer", "between": [ 0, 65535 ], - "default": 6379, - "description": "An integer representing a port number between 0 and 65535, inclusive." + "default": 6379 } } - ] + ], + "type": "record" }, - "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element." + "type": "array", + "len_min": 1 } }, { "ssl": { - "type": "boolean", "description": "If set to true, uses SSL to connect to Redis.", - "default": false, - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "ssl_verify": { - "type": "boolean", "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly.", - "default": false, - "required": false + "required": false, + "type": "boolean", + "default": false } }, { "server_name": { - "type": "string", + "description": "A string representing an SNI (server name indication) value for TLS.", "required": false, - "description": "A string representing an SNI (server name indication) value for TLS." + "type": "string" } }, { "cluster_max_redirections": { - "type": "integer", "description": "Maximum retry attempts for redirection.", - "default": 5, - "required": false + "required": false, + "type": "integer", + "default": 5 } }, { "connection_is_proxied": { - "type": "boolean", "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address.", - "default": false, - "required": false + "required": false, + "type": "boolean", + "default": false } } ], "entity_checks": [ { "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_nodes" - ], - "set2": [ - "host", - "port" ] } }, { "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], "set1": [ "sentinel_master", "sentinel_role", "sentinel_nodes" - ], - "set2": [ - "cluster_nodes" ] } }, { "mutually_exclusive_sets": { - "set1": [ - "cluster_nodes" - ], "set2": [ "host", "port" + ], + "set1": [ + "cluster_nodes" ] } }, @@ -572,10 +568,10 @@ { "conditional": { "if_field": "connection_is_proxied", - "then_field": "host", "if_match": { "eq": true }, + "then_field": "host", "then_match": { "required": true } @@ -583,168 +579,203 @@ }, { "custom_entity_check": { + "run_with_missing_fields": true, "field_sources": [ "database", "connection_is_proxied" - ], - "run_with_missing_fields": true + ] } }, { "custom_entity_check": { + "run_with_missing_fields": true, "field_sources": [ "cluster_nodes", "connection_is_proxied" - ], - "run_with_missing_fields": true + ] } }, { "custom_entity_check": { + "run_with_missing_fields": true, "field_sources": [ "sentinel_role", "connection_is_proxied" - ], - "run_with_missing_fields": true + ] } } ], + "type": "record", "shorthand_fields": [ { "timeout": { "type": "integer", - "deprecation": { - "removal_in_version": "4.0", - "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`" - }, "translate_backwards": [ "connect_timeout" - ] + ], + "deprecation": { + "replaced_with": [ + { + "path": [ + "connect_timeout" + ] + }, + { + "path": [ + "send_timeout" + ] + }, + { + "path": [ + "read_timeout" + ] + } + ], + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + } } }, { "sentinel_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "sentinel_nodes" + ] + } + ], + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "deprecation": { - "removal_in_version": "4.0", - "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead" - }, - "type": "array" + } } }, { "cluster_addresses": { + "deprecation": { + "replaced_with": [ + { + "path": [ + "cluster_nodes" + ] + } + ], + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, "len_min": 1, + "type": "array", "elements": { "type": "string" - }, - "deprecation": { - "removal_in_version": "4.0", - "message": "cluster_addresses is deprecated, please use cluster_nodes instead" - }, - "type": "array" + } } } - ] + ], + "required": true } }, { "eagerly_expire": { + "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`.", "required": true, "type": "integer", "gt": -1, - "default": 5, - "description": "The number of seconds to eagerly expire a cached token. By default, a cached token expires 5 seconds before its lifetime as defined in `expires_in`." + "default": 5 } }, { "default_ttl": { + "description": "The lifetime of a token without an explicit `expires_in` value.", "type": "number", "gt": 0, - "default": 3600, - "description": "The lifetime of a token without an explicit `expires_in` value." + "default": 3600 } } ], + "type": "record", "required": true } }, { "behavior": { - "type": "record", "fields": [ { "upstream_access_token_header_name": { + "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service.", "len_min": 0, - "required": true, "type": "string", - "default": "Authorization", - "description": "The name of the header used to send the access token (obtained from the IdP) to the upstream service." + "required": true, + "default": "Authorization" } }, { "idp_error_response_status_code": { + "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP.", + "required": true, "between": [ 500, 599 ], - "required": true, "type": "integer", - "default": 502, - "description": "The response code to return to the consumer if Kong fails to obtain a token from the IdP." + "default": 502 } }, { "idp_error_response_content_type": { + "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, - "required": true, "type": "string", - "default": "application/json; charset=utf-8", - "description": "The Content-Type of the response to return to the consumer if Kong fails to obtain a token from the IdP." + "required": true, + "default": "application/json; charset=utf-8" } }, { "idp_error_response_message": { + "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, - "required": true, "type": "string", - "default": "Failed to authenticate request to upstream", - "description": "The message to embed in the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." + "required": true, + "default": "Failed to authenticate request to upstream" } }, { "idp_error_response_body_template": { + "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP.", "len_min": 0, - "required": true, "type": "string", - "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }", - "description": "The template to use to create the body of the response to return to the consumer if Kong fails to obtain a token from the IdP." + "required": true, + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" } }, { "purge_token_on_upstream_status_codes": { + "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality.", "type": "array", + "default": [ + 401 + ], "elements": { - "type": "integer", "between": [ 100, 599 - ] - }, - "default": [ - 401 - ], - "description": "An array of status codes which will force an access token to be purged when returned by the upstream. An empty array will disable this functionality." + ], + "type": "integer" + } } } ], + "type": "record", "required": true } } ], + "type": "record", "required": true } } diff --git a/schemas/upstream-timeout/3.8.x.json b/schemas/upstream-timeout/3.8.x.json index 3ca8137..279be9a 100644 --- a/schemas/upstream-timeout/3.8.x.json +++ b/schemas/upstream-timeout/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,38 +35,41 @@ "fields": [ { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 - ], - "type": "integer", - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/vault-auth/3.8.x.json b/schemas/vault-auth/3.8.x.json index 2c71b65..9fc6444 100644 --- a/schemas/vault-auth/3.8.x.json +++ b/schemas/vault-auth/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,23 +19,22 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, { "consumer": { - "type": "foreign", "reference": "consumers", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -46,67 +43,70 @@ "fields": [ { "access_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "string", - "default": "access_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for an access token. The client must send the access token in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "default": "access_token" } }, { "secret_token_name": { + "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-].", "required": true, "elements": { - "type": "string", - "description": "A string representing an HTTP header name." + "description": "A string representing an HTTP header name.", + "type": "string" }, "type": "string", - "default": "secret_token", - "description": "Describes an array of comma-separated parameter names where the plugin looks for a secret token. The client must send the secret in one of those key names, and the plugin will try to read the credential from a header or the querystring parameter with the same name. The key names can only contain [a-z], [A-Z], [0-9], [_], and [-]." + "default": "secret_token" } }, { "vault": { - "required": true, "reference": "vault_auth_vaults", + "type": "foreign", "description": "A reference to an existing `vault` object within the database. `vault` entities define the connection and authentication parameters used to connect to a Vault HTTP(S) API.", - "type": "foreign" + "required": true } }, { "hide_credentials": { - "default": false, "description": "An optional boolean value telling the plugin to show or hide the credential from the upstream service. If `true`, the plugin will strip the credential from the request (i.e. the header or querystring containing the key) before proxying it.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "anonymous": { - "type": "string", - "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`.", + "type": "string" } }, { "tokens_in_body": { - "default": false, "description": "If enabled, the plugin will read the request body (if said request has one and its MIME type is supported) and try to find the key in it. Supported MIME types are `application/www-form-urlencoded`, `application/json`, and `multipart/form-data`.", - "type": "boolean" + "type": "boolean", + "default": false } }, { "run_on_preflight": { - "default": true, "description": "A boolean value that indicates whether the plugin should run (and try to authenticate) on `OPTIONS` preflight requests. If set to `false`, then `OPTIONS` requests will always be allowed.", - "type": "boolean" + "type": "boolean", + "default": true } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-size-limit/3.8.x.json b/schemas/websocket-size-limit/3.8.x.json index ed3c4a6..fab7b3b 100644 --- a/schemas/websocket-size-limit/3.8.x.json +++ b/schemas/websocket-size-limit/3.8.x.json @@ -1,30 +1,27 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -33,26 +30,26 @@ "fields": [ { "client_max_payload": { - "required": false, + "type": "integer", "between": [ 1, 33554432 ], - "type": "integer" + "required": false } }, { "upstream_max_payload": { - "required": false, + "type": "integer", "between": [ 1, 33554432 ], - "type": "integer" + "required": false } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -61,8 +58,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/websocket-validator/3.8.x.json b/schemas/websocket-validator/3.8.x.json index f3a1fea..6fb5508 100644 --- a/schemas/websocket-validator/3.8.x.json +++ b/schemas/websocket-validator/3.8.x.json @@ -1,30 +1,27 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { - "required": true, "default": [ "ws", "wss" ], + "required": true, + "type": "set", "elements": { "type": "string", "one_of": [ "ws", "wss" ] - }, - "type": "set" + } } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -33,30 +30,30 @@ "fields": [ { "client": { - "required": false, "fields": [ { "text": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -66,32 +63,32 @@ ] } } - ], - "type": "record" + ] } }, { "binary": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -101,11 +98,12 @@ ] } } - ], - "type": "record" + ] } } ], + "required": false, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -113,36 +111,35 @@ "binary" ] } - ], - "type": "record" + ] } }, { "upstream": { - "required": false, "fields": [ { "text": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -152,32 +149,32 @@ ] } } - ], - "type": "record" + ] } }, { "binary": { - "required": false, "fields": [ { "type": { + "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", + "type": "string", "required": true, "one_of": [ "draft4" - ], - "description": "The corresponding validation library for `config.upstream.binary.schema`. Currently, only `draft4` is supported.", - "type": "string" + ] } }, { "schema": { - "required": true, "description": "Schema used to validate upstream-originated binary frames. The semantics of this field depend on the validation type set by `config.upstream.binary.type`.", - "type": "string" + "type": "string", + "required": true } } ], + "required": false, + "type": "record", "entity_checks": [ { "custom_entity_check": { @@ -187,11 +184,12 @@ ] } } - ], - "type": "record" + ] } } ], + "required": false, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -199,12 +197,11 @@ "binary" ] } - ], - "type": "record" + ] } } ], - "required": true, + "type": "record", "entity_checks": [ { "at_least_one_of": [ @@ -213,8 +210,11 @@ ] } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/xml-threat-protection/3.8.x.json b/schemas/xml-threat-protection/3.8.x.json index a6a3d9f..d9f354a 100644 --- a/schemas/xml-threat-protection/3.8.x.json +++ b/schemas/xml-threat-protection/3.8.x.json @@ -1,10 +1,8 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing HTTP protocols.", "required": true, "elements": { "type": "string", @@ -21,15 +19,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing HTTP protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -38,263 +35,266 @@ "fields": [ { "checked_content_types": { + "description": "A list of Content-Type values with payloads that must be validated.", "required": true, "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", "default": [ "application/xml" - ], - "description": "A list of Content-Type values with payloads that must be validated." + ] } }, { "allowed_content_types": { + "description": "A list of Content-Type values with payloads that are allowed, but aren't validated.", "required": true, "elements": { "required": true, - "match": "^[^%s]+%/[^ ;]+$", - "type": "string" + "type": "string", + "match": "^[^%s]+%/[^ ;]+$" }, "type": "set", "default": [ - ], - "description": "A list of Content-Type values with payloads that are allowed, but aren't validated." + ] } }, { "allow_dtd": { - "required": true, - "default": false, + "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed.", "type": "boolean", - "description": "Indicates whether an XML Document Type Definition (DTD) section is allowed." + "required": true, + "default": false } }, { "namespace_aware": { - "required": true, - "default": true, + "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such.", "type": "boolean", - "description": "If not parsing namespace aware, all prefixes and namespace attributes will be counted as regular attributes and element names, and validated as such." + "required": true, + "default": true } }, { "max_depth": { - "gt": 0, - "type": "integer", - "default": 50, + "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level.", "required": true, - "description": "Maximum depth of tags. Child elements such as Text or Comments are not counted as another level." + "type": "integer", + "gt": 0, + "default": 50 } }, { "max_children": { - "gt": 0, - "type": "integer", - "default": 100, + "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child.", "required": true, - "description": "Maximum number of children allowed (Element, Text, Comment, ProcessingInstruction, CDATASection). Note: Adjacent text and CDATA sections are counted as one. For example, text-cdata-text-cdata is one child." + "type": "integer", + "gt": 0, + "default": 100 } }, { "max_attributes": { - "gt": 0, - "type": "integer", - "default": 100, + "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes.", "required": true, - "description": "Maximum number of attributes allowed on a tag, including default ones. Note: If namespace-aware parsing is disabled, then the namespaces definitions are counted as attributes." + "type": "integer", + "gt": 0, + "default": 100 } }, { "max_namespaces": { - "gt": 0, - "type": "integer", - "default": 20, + "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware.", "required": false, - "description": "Maximum number of namespaces defined on a tag. This value is required if parsing is namespace-aware." + "type": "integer", + "gt": 0, + "default": 20 } }, { "document": { - "gt": 0, - "type": "integer", - "default": 10485760, + "description": "Maximum size of the entire document.", "required": true, - "description": "Maximum size of the entire document." + "type": "integer", + "gt": 0, + "default": 10485760 } }, { "buffer": { - "gt": 0, - "type": "integer", - "default": 1048576, + "description": "Maximum size of the unparsed buffer (see below).", "required": true, - "description": "Maximum size of the unparsed buffer (see below)." + "type": "integer", + "gt": 0, + "default": 1048576 } }, { "comment": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of comments.", "required": true, - "description": "Maximum size of comments." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "localname": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of the localname. This applies to tags and attributes.", "required": true, - "description": "Maximum size of the localname. This applies to tags and attributes." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "prefix": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware.", "required": false, - "description": "Maximum size of the prefix. This applies to tags and attributes. This value is required if parsing is namespace-aware." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "namespaceuri": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware.", "required": false, - "description": "Maximum size of the namespace URI. This value is required if parsing is namespace-aware." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "attribute": { - "gt": 0, - "type": "integer", - "default": 1048576, + "description": "Maximum size of the attribute value.", "required": true, - "description": "Maximum size of the attribute value." + "type": "integer", + "gt": 0, + "default": 1048576 } }, { "text": { - "gt": 0, - "type": "integer", - "default": 1048576, + "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined).", "required": true, - "description": "Maximum text inside tags (counted over all adjacent text/CDATA elements combined)." + "type": "integer", + "gt": 0, + "default": 1048576 } }, { "pitarget": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of processing instruction targets.", "required": true, - "description": "Maximum size of processing instruction targets." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "pidata": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of processing instruction data.", "required": true, - "description": "Maximum size of processing instruction data." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "entityname": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of entity names in EntityDecl.", "required": true, - "description": "Maximum size of entity names in EntityDecl." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "entity": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of entity values in EntityDecl.", "required": true, - "description": "Maximum size of entity values in EntityDecl." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "entityproperty": { - "gt": 0, - "type": "integer", - "default": 1024, + "description": "Maximum size of systemId, publicId, or notationName in EntityDecl.", "required": true, - "description": "Maximum size of systemId, publicId, or notationName in EntityDecl." + "type": "integer", + "gt": 0, + "default": 1024 } }, { "bla_max_amplification": { - "gt": 1, - "type": "number", - "default": 100, + "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack.", "required": true, - "description": "Sets the maximum allowed amplification. This protects against the Billion Laughs Attack." + "type": "number", + "gt": 1, + "default": 100 } }, { "bla_threshold": { + "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack.", "required": true, "type": "integer", - "default": 8388608, "gt": 1024, - "description": "Sets the threshold after which the protection starts. This protects against the Billion Laughs Attack." + "default": 8388608 } } ], - "required": true, + "type": "record", "entity_checks": [ { "conditional": { - "then_field": "max_namespaces", + "if_field": "namespace_aware", "if_match": { "eq": true }, + "then_field": "max_namespaces", "then_match": { "required": true - }, - "if_field": "namespace_aware" + } } }, { "conditional": { - "then_field": "prefix", + "if_field": "namespace_aware", "if_match": { "eq": true }, + "then_field": "prefix", "then_match": { "required": true - }, - "if_field": "namespace_aware" + } } }, { "conditional": { - "then_field": "namespaceuri", + "if_field": "namespace_aware", "if_match": { "eq": true }, + "then_field": "namespaceuri", "then_match": { "required": true - }, - "if_field": "namespace_aware" + } } } ], - "type": "record" + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file diff --git a/schemas/zipkin/3.8.x.json b/schemas/zipkin/3.8.x.json index bac2c9b..cd177c4 100644 --- a/schemas/zipkin/3.8.x.json +++ b/schemas/zipkin/3.8.x.json @@ -1,12 +1,12 @@ { - "entity_checks": [ - - ], "fields": [ { "protocols": { + "description": "A set of strings representing protocols.", "required": true, "elements": { + "description": "A string representing a protocol, such as HTTP or HTTPS.", + "type": "string", "one_of": [ "grpc", "grpcs", @@ -18,9 +18,7 @@ "udp", "ws", "wss" - ], - "type": "string", - "description": "A string representing a protocol, such as HTTP or HTTPS." + ] }, "type": "set", "default": [ @@ -28,15 +26,14 @@ "grpcs", "http", "https" - ], - "description": "A set of strings representing protocols." + ] } }, { "consumer_group": { - "type": "foreign", "reference": "consumer_groups", "eq": null, + "type": "foreign", "description": "Custom type for representing a foreign key with a null value allowed." } }, @@ -45,65 +42,59 @@ "fields": [ { "local_service_name": { + "description": "The name of the service as displayed in Zipkin.", "required": true, - "default": "kong", "type": "string", - "description": "The name of the service as displayed in Zipkin." + "default": "kong" } }, { "http_endpoint": { - "type": "string", - "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search." + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" } }, { "sample_ratio": { + "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. ", + "type": "number", "between": [ 0, 1 ], - "default": 0.001, - "type": "number", - "description": "How often to sample requests that do not contain trace IDs. Set to `0` to turn sampling off, or to `1` to sample **all** requests. " + "default": 0.001 } }, { "default_service_name": { - "type": "string", - "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans." + "description": "Set a default service name to override `unknown-service-name` in the Zipkin spans.", + "type": "string" } }, { "include_credential": { + "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server.", "required": true, - "default": true, "type": "boolean", - "description": "Specify whether the credential of the currently authenticated consumer should be included in metadata sent to the Zipkin server." + "default": true } }, { "traceid_byte_count": { + "description": "The length in bytes of each request's Trace ID.", "required": true, - "type": "integer", - "default": 16, "one_of": [ 8, 16 ], - "description": "The length in bytes of each request's Trace ID." + "type": "integer", + "default": 16 } }, { "header_type": { + "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests", "required": true, - "type": "string", - "deprecation": { - "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", - "removal_in_version": "4.0", - "old_default": "preserve" - }, - "default": "preserve", "one_of": [ "preserve", "ignore", @@ -116,19 +107,19 @@ "datadog", "gcp" ], - "description": "All HTTP requests going through the plugin are tagged with a tracing HTTP request. This property codifies what kind of tracing header the plugin expects on incoming requests" + "type": "string", + "default": "preserve", + "deprecation": { + "old_default": "preserve", + "message": "zipkin: config.header_type is deprecated, please use config.propagation options instead", + "removal_in_version": "4.0" + } } }, { "default_header_type": { + "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored.", "required": true, - "type": "string", - "deprecation": { - "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", - "removal_in_version": "4.0", - "old_default": "b3" - }, - "default": "b3", "one_of": [ "b3", "b3-single", @@ -139,25 +130,31 @@ "datadog", "gcp" ], - "description": "Allows specifying the type of header to be added to requests with no pre-existing tracing headers and when `config.header_type` is set to `\"preserve\"`. When `header_type` is set to any other value, `default_header_type` is ignored." + "type": "string", + "default": "b3", + "deprecation": { + "old_default": "b3", + "message": "zipkin: config.default_header_type is deprecated, please use config.propagation.default_format instead", + "removal_in_version": "4.0" + } } }, { "tags_header": { + "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property.", "required": true, - "default": "Zipkin-Tags", "type": "string", - "description": "The Zipkin plugin will add extra headers to the tags associated with any HTTP requests that come with a header named as configured by this property." + "default": "Zipkin-Tags" } }, { "static_tags": { "description": "The tags specified on this property will be added to the generated request traces.", + "type": "array", "elements": { "fields": [ { "name": { - "required": true, "not_one_of": [ "error", "http.method", @@ -173,64 +170,64 @@ "lc", "peer.hostname" ], + "required": true, "type": "string" } }, { "value": { - "required": true, - "type": "string" + "type": "string", + "required": true } } ], "type": "record" - }, - "type": "array" + } } }, { "http_span_name": { + "description": "Specify whether to include the HTTP path in the span name.", "required": true, - "type": "string", - "default": "method", "one_of": [ "method", "method_path" ], - "description": "Specify whether to include the HTTP path in the span name." + "type": "string", + "default": "method" } }, { "connect_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 2000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 2000 } }, { "send_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { "read_timeout": { + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "type": "integer", "between": [ 0, 2147483646 ], - "default": 5000, - "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", - "type": "integer" + "default": 5000 } }, { @@ -240,14 +237,14 @@ }, { "phase_duration_flavor": { + "description": "Specify whether to include the duration of each phase as an annotation or a tag.", "required": true, - "type": "string", - "default": "annotations", "one_of": [ "annotations", "tags" ], - "description": "Specify whether to include the duration of each phase as an annotation or a tag." + "type": "string", + "default": "annotations" } }, { @@ -255,86 +252,86 @@ "fields": [ { "max_batch_size": { + "description": "Maximum number of entries that can be processed at a time.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 1, - "type": "integer", - "description": "Maximum number of entries that can be processed at a time." + "default": 1 } }, { "max_coalescing_delay": { + "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler.", + "type": "number", "between": [ 0, 3600 ], - "default": 1, - "type": "number", - "description": "Maximum number of (fractional) seconds to elapse after the first entry was queued before the queue starts calling the handler." + "default": 1 } }, { "max_entries": { + "description": "Maximum number of entries that can be waiting on the queue.", + "type": "integer", "between": [ 1, 1000000 ], - "default": 10000, - "type": "integer", - "description": "Maximum number of entries that can be waiting on the queue." + "default": 10000 } }, { "max_bytes": { - "type": "integer", - "description": "Maximum number of bytes that can be waiting on a queue, requires string content." + "description": "Maximum number of bytes that can be waiting on a queue, requires string content.", + "type": "integer" } }, { "max_retry_time": { - "default": 60, + "description": "Time in seconds before the queue gives up calling a failed handler for a batch.", "type": "number", - "description": "Time in seconds before the queue gives up calling a failed handler for a batch." + "default": 60 } }, { "initial_retry_delay": { + "description": "Time in seconds before the initial retry is made for a failing batch.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 0.01, - "type": "number", - "description": "Time in seconds before the initial retry is made for a failing batch." + "default": 0.01 } }, { "max_retry_delay": { + "description": "Maximum time in seconds between retries, caps exponential backoff.", + "type": "number", "between": [ 0.001, 1000000 ], - "default": 60, - "type": "number", - "description": "Maximum time in seconds between retries, caps exponential backoff." + "default": 60 } }, { "concurrency_limit": { + "description": "The number of of queue delivery timers. -1 indicates unlimited.", "type": "integer", "default": 1, "one_of": [ -1, 1 - ], - "description": "The number of of queue delivery timers. -1 indicates unlimited." + ] } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } }, { @@ -342,80 +339,83 @@ "fields": [ { "extract": { + "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID.", "type": "array", "elements": { "type": "string", "one_of": [ + "gcp", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "jaeger" + "b3" ] - }, - "description": "Header formats used to extract tracing context from incoming requests. If multiple values are specified, the first one found will be used for extraction. If left empty, Kong will not extract any tracing context information from incoming requests and generate a trace with no parent and a new trace ID." + } } }, { "clear": { + "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared.", "type": "array", "elements": { "type": "string" - }, - "description": "Header names to clear after context extraction. This allows to extract the context from a certain header and then remove it from the request, useful when extraction and injection are performed on different header formats and the original header should not be sent to the upstream. If left empty, no headers are cleared." + } } }, { "inject": { + "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests.", "type": "array", "elements": { "type": "string", "one_of": [ "preserve", + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" + "b3" ] - }, - "description": "Header formats used to inject tracing context. The value `preserve` will use the same header format as the incoming request. If multiple values are specified, all of them will be used during injection. If left empty, Kong will not inject any tracing context information in outgoing requests." + } } }, { "default_format": { + "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`.", + "type": "string", "required": true, "one_of": [ + "gcp", + "b3-single", + "jaeger", "aws", "ot", "w3c", "datadog", - "b3", - "gcp", - "b3-single", - "jaeger" - ], - "type": "string", - "description": "The default header format to use when extractors did not match any format in the incoming headers and `inject` is configured with the value: `preserve`. This can happen when no tracing header was found in the request, or the incoming tracing header formats were not included in `extract`." + "b3" + ] } } ], + "type": "record", + "required": true, "default": { "default_format": "b3" - }, - "required": true, - "type": "record" + } } } ], - "required": true, - "type": "record" + "type": "record", + "required": true } } + ], + "entity_checks": [ + ] } \ No newline at end of file