From a15dc8f409a23ef2f5ea14991dcf483e119f7ffa Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Thu, 22 Aug 2024 07:31:45 -0700 Subject: [PATCH] generate schema and validate example for new upstream-oauth plugin (#53) --- examples/upstream-oauth/_3.8.x.yaml | 12 + schemas/upstream-oauth/3.8.x.json | 749 ++++++++++++++++++++++++++++ 2 files changed, 761 insertions(+) create mode 100644 examples/upstream-oauth/_3.8.x.yaml create mode 100644 schemas/upstream-oauth/3.8.x.json diff --git a/examples/upstream-oauth/_3.8.x.yaml b/examples/upstream-oauth/_3.8.x.yaml new file mode 100644 index 0000000..2c80a4a --- /dev/null +++ b/examples/upstream-oauth/_3.8.x.yaml @@ -0,0 +1,12 @@ +name: upstream-oauth +config: + oauth: + token_endpoint: "http://test.test" + grant_type: client_credentials + client_id: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_ID + client_secret: CLIENT_CREDENTIALS_GRANT_POST_AUTH_CLIENT_SECRET + scopes: + - "openid" + - "profile" + behavior: + upstream_access_token_header_name: X-Custom-Auth \ No newline at end of file diff --git a/schemas/upstream-oauth/3.8.x.json b/schemas/upstream-oauth/3.8.x.json new file mode 100644 index 0000000..eb37081 --- /dev/null +++ b/schemas/upstream-oauth/3.8.x.json @@ -0,0 +1,749 @@ +{ + "entity_checks": [ + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + }, + { + "custom_entity_check": { + "field_sources": [ + "config" + ] + } + } + ], + "fields": [ + { + "protocols": { + "required": true, + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "set", + "description": "A set of strings representing HTTP protocols.", + "elements": { + "type": "string", + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ] + } + } + }, + { + "config": { + "fields": [ + { + "client": { + "fields": [ + { + "auth_method": { + "required": true, + "default": "client_secret_post", + "type": "string", + "one_of": [ + "client_secret_post", + "client_secret_basic", + "client_secret_jwt", + "none" + ] + } + }, + { + "client_secret_jwt_alg": { + "required": true, + "default": "HS512", + "type": "string", + "one_of": [ + "HS512", + "HS256" + ] + } + }, + { + "http_version": { + "required": false, + "default": 1.1, + "type": "number" + } + }, + { + "http_proxy": { + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "http_proxy_authorization": { + "type": "string", + "required": false + } + }, + { + "https_proxy": { + "required": false, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "https_proxy_authorization": { + "type": "string", + "required": false + } + }, + { + "no_proxy": { + "type": "string", + "required": false + } + }, + { + "timeout": { + "required": true, + "default": 10000, + "type": "integer", + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "keep_alive": { + "required": true, + "default": true, + "type": "boolean" + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean" + } + } + ], + "type": "record", + "required": true + } + }, + { + "oauth": { + "fields": [ + { + "token_endpoint": { + "required": true, + "description": "A string representing a URL, such as https://example.com/path/to/resource?q=search.", + "type": "string" + } + }, + { + "token_headers": { + "required": true, + "default": [ + + ], + "type": "map", + "keys": { + "type": "string", + "description": "A string representing an HTTP header name." + }, + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "token_post_args": { + "required": true, + "default": [ + + ], + "type": "map", + "keys": { + "type": "string" + }, + "values": { + "type": "string", + "referenceable": true + } + } + }, + { + "grant_type": { + "required": true, + "default": "client_credentials", + "type": "string", + "one_of": [ + "client_credentials", + "password" + ] + } + }, + { + "client_id": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "client_secret": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "username": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "password": { + "required": false, + "encrypted": true, + "type": "string", + "referenceable": true + } + }, + { + "scopes": { + "required": false, + "default": [ + "openid" + ], + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "audience": { + "required": false, + "default": [ + + ], + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "type": "record", + "required": true + } + }, + { + "cache": { + "fields": [ + { + "strategy": { + "required": true, + "default": "memory", + "type": "string", + "one_of": [ + "memory", + "redis" + ] + } + }, + { + "memory": { + "fields": [ + { + "dictionary_name": { + "required": true, + "default": "kong_db_cache", + "type": "string" + } + } + ], + "type": "record", + "required": true + } + }, + { + "redis": { + "required": true, + "type": "record", + "fields": [ + { + "host": { + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "type": "integer", + "between": [ + 0, + 65535 + ] + } + }, + { + "connect_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "send_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "read_timeout": { + "default": 2000, + "description": "An integer representing a timeout in milliseconds. Must be between 0 and 2^31-2.", + "between": [ + 0, + 2147483646 + ], + "type": "integer" + } + }, + { + "username": { + "description": "Username to use for Redis connections. If undefined, ACL authentication won't be performed. This requires Redis v6.0.0+. To be compatible with Redis v5.x.y, you can set it to `default`.", + "type": "string", + "referenceable": true + } + }, + { + "password": { + "type": "string", + "description": "Password to use for Redis connections. If undefined, no AUTH commands are sent to Redis.", + "encrypted": true, + "referenceable": true + } + }, + { + "sentinel_username": { + "description": "Sentinel username to authenticate with a Redis Sentinel instance. If undefined, ACL authentication won't be performed. This requires Redis v6.2.0+.", + "type": "string", + "referenceable": true + } + }, + { + "sentinel_password": { + "type": "string", + "description": "Sentinel password to authenticate with a Redis Sentinel instance. If undefined, no AUTH commands are sent to Redis Sentinels.", + "encrypted": true, + "referenceable": true + } + }, + { + "database": { + "default": 0, + "type": "integer", + "description": "Database to use for the Redis connection when using the `redis` strategy" + } + }, + { + "keepalive_pool_size": { + "description": "The size limit for every cosocket connection pool associated with every remote server, per worker process. If neither `keepalive_pool_size` nor `keepalive_backlog` is specified, no pool is created. If `keepalive_pool_size` isn't specified but `keepalive_backlog` is specified, then the pool uses the default value. Try to increase (e.g. 512) this value if latency is high or throughput is low.", + "default": 256, + "between": [ + 1, + 2147483646 + ], + "type": "integer" + } + }, + { + "keepalive_backlog": { + "description": "Limits the total number of opened connections for a pool. If the connection pool is full, connection queues above the limit go into the backlog queue. If the backlog queue is full, subsequent connect operations fail and return `nil`. Queued operations (subject to set timeouts) resume once the number of connections in the pool is less than `keepalive_pool_size`. If latency is high or throughput is low, try increasing this value. Empirically, this value is larger than `keepalive_pool_size`.", + "type": "integer", + "between": [ + 0, + 2147483646 + ] + } + }, + { + "sentinel_master": { + "type": "string", + "description": "Sentinel master to use for Redis connections. Defining this value implies using Redis Sentinel." + } + }, + { + "sentinel_role": { + "description": "Sentinel role to use for Redis connections when the `redis` strategy is defined. Defining this value implies using Redis Sentinel.", + "type": "string", + "one_of": [ + "master", + "slave", + "any" + ] + } + }, + { + "sentinel_nodes": { + "required": false, + "type": "array", + "len_min": 1, + "description": "Sentinel node addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Sentinel. The minimum length of the array is 1 element.", + "elements": { + "type": "record", + "fields": [ + { + "host": { + "required": true, + "default": "127.0.0.1", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + } + } + }, + { + "cluster_nodes": { + "required": false, + "type": "array", + "len_min": 1, + "description": "Cluster addresses to use for Redis connections when the `redis` strategy is defined. Defining this field implies using a Redis Cluster. The minimum length of the array is 1 element.", + "elements": { + "type": "record", + "fields": [ + { + "ip": { + "required": true, + "default": "127.0.0.1", + "type": "string", + "description": "A string representing a host name, such as example.com." + } + }, + { + "port": { + "default": 6379, + "description": "An integer representing a port number between 0 and 65535, inclusive.", + "between": [ + 0, + 65535 + ], + "type": "integer" + } + } + ] + } + } + }, + { + "ssl": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, uses SSL to connect to Redis." + } + }, + { + "ssl_verify": { + "required": false, + "default": false, + "type": "boolean", + "description": "If set to true, verifies the validity of the server SSL certificate. If setting this parameter, also configure `lua_ssl_trusted_certificate` in `kong.conf` to specify the CA (or server) certificate used by your Redis server. You may also need to configure `lua_ssl_verify_depth` accordingly." + } + }, + { + "server_name": { + "required": false, + "description": "A string representing an SNI (server name indication) value for TLS.", + "type": "string" + } + }, + { + "cluster_max_redirections": { + "required": false, + "default": 5, + "type": "integer", + "description": "Maximum retry attempts for redirection." + } + }, + { + "connection_is_proxied": { + "required": false, + "default": false, + "type": "boolean", + "description": "If the connection to Redis is proxied (e.g. Envoy), set it `true`. Set the `host` and `port` to point to the proxy address." + } + } + ], + "shorthand_fields": [ + { + "timeout": { + "deprecation": { + "message": "redis schema field `timeout` is deprecated, use `connect_timeout`, `send_timeout` and `read_timeout`", + "removal_in_version": "4.0" + }, + "type": "integer", + "translate_backwards": [ + "connect_timeout" + ] + } + }, + { + "sentinel_addresses": { + "deprecation": { + "message": "sentinel_addresses is deprecated, please use sentinel_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + }, + { + "cluster_addresses": { + "deprecation": { + "message": "cluster_addresses is deprecated, please use cluster_nodes instead", + "removal_in_version": "4.0" + }, + "len_min": 1, + "type": "array", + "elements": { + "type": "string" + } + } + } + ], + "entity_checks": [ + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "cluster_nodes" + ], + "set1": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + } + }, + { + "mutually_exclusive_sets": { + "set2": [ + "host", + "port" + ], + "set1": [ + "cluster_nodes" + ] + } + }, + { + "mutually_required": [ + "sentinel_master", + "sentinel_role", + "sentinel_nodes" + ] + }, + { + "mutually_required": [ + "host", + "port" + ] + }, + { + "mutually_required": [ + "connect_timeout", + "send_timeout", + "read_timeout" + ] + }, + { + "conditional": { + "if_field": "connection_is_proxied", + "if_match": { + "eq": true + }, + "then_field": "host", + "then_match": { + "required": true + } + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "database", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "cluster_nodes", + "connection_is_proxied" + ] + } + }, + { + "custom_entity_check": { + "run_with_missing_fields": true, + "field_sources": [ + "sentinel_role", + "connection_is_proxied" + ] + } + } + ] + } + }, + { + "eagerly_expire": { + "required": true, + "default": 5, + "gt": -1, + "type": "integer" + } + }, + { + "default_ttl": { + "default": 3600, + "gt": 0, + "type": "number" + } + } + ], + "type": "record", + "required": true + } + }, + { + "behavior": { + "fields": [ + { + "upstream_access_token_header_name": { + "required": true, + "len_min": 0, + "type": "string", + "default": "Authorization" + } + }, + { + "idp_error_response_status_code": { + "required": true, + "default": 502, + "type": "integer", + "between": [ + 500, + 599 + ] + } + }, + { + "idp_error_response_content_type": { + "required": true, + "len_min": 0, + "type": "string", + "default": "application/json; charset=utf-8" + } + }, + { + "idp_error_response_message": { + "required": true, + "len_min": 0, + "type": "string", + "default": "Failed to authenticate request to upstream" + } + }, + { + "idp_error_response_body_template": { + "required": true, + "len_min": 0, + "type": "string", + "default": "{ \"code\": \"{{status}}\", \"message\": \"{{message}}\" }" + } + }, + { + "purge_token_on_upstream_status_codes": { + "default": [ + 401 + ], + "type": "array", + "elements": { + "type": "integer", + "between": [ + 100, + 599 + ] + } + } + } + ], + "type": "record", + "required": true + } + } + ], + "type": "record", + "required": true + } + } + ] +} \ No newline at end of file