diff --git a/doc/policies_list/3.10.0/policies.json b/doc/policies_list/3.10.0/policies.json new file mode 100644 index 000000000..6c758d0e7 --- /dev/null +++ b/doc/policies_list/3.10.0/policies.json @@ -0,0 +1,2718 @@ +{ + "policies": { + "token_introspection": [ + { + "summary": "Configures OAuth 2.0 Token Introspection.", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ], + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "minimum": 1, + "description": "Max TTL for cached tokens", + "type": "integer" + }, + "max_cached_tokens": { + "maximum": 10000, + "minimum": 0, + "description": "Max number of tokens to cache", + "type": "integer" + }, + "auth_type": { + "type": "string", + "default": "client_id+client_secret", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "content_caching": [ + { + "summary": "Option to enable content caching on responses.", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ], + "name": "Content caching", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "rule": { + "title": "Rule", + "required": [ + "cache" + ], + "properties": { + "header": { + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)", + "title": "Header name ", + "default": "X-Cache-Status", + "type": "string" + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "title": "Combine operation", + "default": "and", + "type": "string" + } + }, + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "type": "object" + }, + "cache": { + "title": "Enable cache if match", + "default": false, + "type": "boolean" + } + }, + "$id": "#/definitions/rule", + "type": "object" + } + }, + "properties": { + "rules": { + "title": "Rules", + "items": { + "$ref": "#/definitions/rule" + }, + "minItems": 1, + "description": "Rules to enable/disable caching", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream": [ + { + "name": "Upstream", + "summary": "Allows to modify the upstream URL of the request based on its path.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string", + "description": "New URL in case of match" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + } + }, + "required": [ + "regex", + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rewrite_url_captures": [ + { + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ], + "name": "URL Rewriting with Captures", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "methods": { + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "type": "array" + } + }, + "properties": { + "transformations": { + "items": { + "properties": { + "methods": { + "$ref": "#/definitions/methods" + }, + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream_mtls": [ + { + "summary": "Certificates to be used with the upstream API", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config", + "name": "Upstream Mutual TLS", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "title": "Upstream MTLS", + "dependencies": { + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate_type": { + "const": "embedded" + }, + "certificate": { + "title": "Certificate", + "type": "string", + "format": "data-url" + } + } + }, + { + "properties": { + "certificate_type": { + "const": "path" + }, + "certificate": { + "type": "string", + "title": "Certificate" + } + } + } + ] + }, + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key_type": { + "const": "embedded" + }, + "certificate_key": { + "title": "Certificate Key", + "type": "string", + "format": "data-url" + } + } + }, + { + "properties": { + "certificate_key_type": { + "const": "path" + }, + "certificate_key": { + "type": "string", + "title": "Certificate Key" + } + } + } + ] + } + }, + "required": [ + "certificate_type", + "certificate_key_type" + ], + "properties": { + "certificate_type": { + "enum": [ + "path", + "embedded" + ], + "title": "Certificate type", + "default": "path", + "type": "string" + }, + "certificate_key_type": { + "enum": [ + "path", + "embedded" + ], + "title": "Certificate key type", + "default": "path", + "type": "string" + } + }, + "description": "Built-in Upstream MTLS APIcast policy", + "type": "object" + }, + "version": "builtin" + } + ], + "custom_metrics": [ + { + "name": "Custom Metrics", + "summary": "Custom metrics on Nginx post actions ", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "custom_metrics_rule": { + "properties": { + "increment": { + "description": "How many hits should be incremented, liquid value ", + "title": "Increment ", + "default": "1", + "type": "string" + }, + "metric": { + "description": "Metric name to increment in case of condition match (liquid input)", + "title": "Metric to increment ", + "default": "", + "type": "string" + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "title": "Combine operation", + "default": "and", + "type": "string" + } + }, + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "type": "object" + } + }, + "type": "object", + "required": [ + "metric", + "condition", + "increment" + ] + } + }, + "properties": { + "rules": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/custom_metrics_rule" + } + } + } + }, + "version": "builtin" + } + ], + "logging": [ + { + "summary": "Controls logging.", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ], + "name": "Logging", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "properties": { + "condition": { + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare match field with the provided value", + "type": "string" + }, + "match": { + "type": "string", + "description": "String to get request information to match" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + } + }, + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "custom_logging": { + "title": "Custom logging format", + "type": "string", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries" + }, + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + }, + "json_object_config": { + "items": { + "properties": { + "value": { + "type": "string", + "description": "String to get request information" + }, + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "caching": [ + { + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ], + "name": "3scale Auth Caching", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "caching_type": { + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "description": "Caching mode", + "type": "string" + } + }, + "type": "object", + "required": [ + "caching_type" + ] + }, + "version": "builtin" + } + ], + "upstream_connection": [ + { + "summary": "Allows to configure several options for the connections to the upstream", + "description": "Allows to configure several options for the connections to the upstream", + "name": "Upstream Connection", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "tls": [ + { + "summary": "Configure TLS termination certificates", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ], + "name": "TLS Termination", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "certificates": { + "items": { + "anyOf": [ + { + "properties": { + "certificate_path": { + "title": "Path to the certificate", + "type": "string" + }, + "certificate_key_path": { + "title": "Path to the certificate private key", + "type": "string" + } + }, + "title": "Embedded certificate", + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "properties": { + "certificate_key": { + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "title": "PEM formatted certificate private key", + "type": "string", + "format": "data-url" + }, + "certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate", + "type": "string", + "format": "data-url" + } + }, + "title": "Certificate from local filesystem", + "required": [ + "certificate", + "certificate_key" + ] + } + ], + "type": "object" + }, + "title": "TLS certificates", + "type": "array", + "description": "The first valid certificate is going to be served to the client." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "oauth_mtls": [ + { + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ], + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "apicast": [ + { + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ], + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "tls_validation": [ + { + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ], + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "$id": "#/definitions/certificate", + "type": "object" + } + }, + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "maintenance_mode": [ + { + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "description": [ + "A policy which allows you reject incoming requests with a specified status code and message.", + "It's useful for maintenance periods or to temporarily block an API." + ], + "name": "Maintenance Mode", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "message_content_type": { + "type": "string", + "default": "text/plain; charset=utf-8", + "description": "Content-Type header for the response" + }, + "status": { + "type": "integer", + "default": 503, + "description": "HTTP status code to return" + }, + "message": { + "type": "string", + "default": "Service Unavailable - Maintenance", + "description": "HTTP response to return" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "routing": [ + { + "name": "Routing", + "summary": "Allows to modify the upstream URL of the request.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "required": [ + "liquid_value" + ], + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "required": [ + "match", + "op", + "value" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string" + }, + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "default": "plain", + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ], + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "owner_id": { + "description": "Value to only increment hits on the mapping rules owner by the same id. ", + "type": "integer" + }, + "url": { + "type": "string" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "combine_op": { + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace_path": { + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path", + "type": "string" + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "ip_check": [ + { + "summary": "Accepts or denies a request based on the IP.", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ], + "name": "IP Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "error_msg": { + "description": "", + "default": "IP address not allowed", + "type": "string" + }, + "client_ip_sources": { + "maxItems": 3, + "minItems": 1, + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Get the IP from the proxy_protocol_addr variable", + "enum": [ + "proxy_protocol_addr" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "default": [ + "last_caller" + ], + "type": "array" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + } + }, + "required": [ + "ips", + "check_type" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "websocket": [ + { + "summary": "Allows websocket connection pass through.", + "description": [ + "A policy which allows Websocket traffic for the service" + ], + "name": "Websocket", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit_headers": [ + { + "summary": "Set rate limit headers on response", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ], + "name": "Rate Limits Headers", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": {}, + "version": "builtin" + } + ], + "camel": [ + { + "summary": "Adds an Camel proxy to the service.", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "name": "Camel Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "retry": [ + { + "summary": "Allows to retry requests to the upstream", + "description": "Allows to retry requests to the upstream", + "name": "Retry", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "retries": { + "maximum": 10, + "minimum": 1, + "description": "Number of retries", + "type": "integer" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "default_credentials": [ + { + "name": "Anonymous Access", + "summary": "Provides default credentials for unauthenticated requests.", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "auth_type": { + "type": "string", + "default": "user_key", + "enum": [ + "user_key", + "app_id_and_app_key" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_id": { + "type": "string" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "grpc": [ + { + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ], + "name": "HTTP2 Endpoint", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "soap": [ + { + "summary": "Adds support for a small subset of SOAP.", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ], + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "mapping_rules": { + "items": { + "properties": { + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + }, + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + } + }, + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object" + }, + "description": "Mapping rules.", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "liquid_context_debug": [ + { + "name": "Liquid Context Debug", + "summary": "Inspects the available liquid context.", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + }, + { + "version": "builtin", + "name": "upstream" + }, + { + "version": "builtin", + "name": "routing" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_batcher": [ + { + "summary": "Caches auths from 3scale backend and batches reports.", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ], + "name": "3scale Batcher", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit": [ + { + "summary": "Adds rate limit.", + "description": [ + "This policy adds rate limit." + ], + "name": "Edge Limiting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "error_handling": { + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "description": "How to handle an error", + "default": "exit", + "type": "string" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 0, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + }, + "key": { + "type": "object", + "properties": { + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "type": "string", + "default": "service", + "description": "Scope of the key" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + }, + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "default": "plain", + "type": "string" + } + }, + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + } + }, + "properties": { + "connection_limiters": { + "items": { + "properties": { + "condition": { + "$ref": "#/definitions/condition" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 429, + "description": "The status code when requests over the limit" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "configuration_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 500, + "description": "The status code when there is some configuration issue" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "fixed_window_limiters": { + "items": { + "properties": { + "window": { + "type": "integer", + "minimum": 0, + "default": 1, + "description": "The time window in seconds before the request count is reset" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + }, + "type": "array" + }, + "leaky_bucket_limiters": { + "items": { + "properties": { + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + } + }, + "type": "object" + }, + "type": "array" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "payload_limits": [ + { + "summary": "Limit request or response base on the size of the content", + "description": [ + "This policy add limits based on request or response content size." + ], + "name": "Response/Request content limits", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "type": "object", + "properties": { + "response": { + "title": "The response limit in bytes", + "examples": [ + 0 + ], + "description": "Response limit in bytes, 0 allows all", + "minimum": 0, + "default": 0, + "type": "integer" + }, + "request": { + "title": "The request limit in bytes", + "examples": [ + 0 + ], + "description": "Request limit in bytes, 0 allows all", + "minimum": 0, + "default": 0, + "type": "integer" + } + }, + "additionalProperties": true, + "required": [ + "request", + "response" + ] + }, + "version": "builtin" + } + ], + "headers": [ + { + "summary": "Allows to include custom headers.", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ], + "name": "Header Modification", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + }, + "required": [ + "op", + "header" + ], + "type": "object" + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "cors": [ + { + "name": "CORS Request Handling", + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "allow_methods": { + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. 'https://example.com') or '*'. If left blank, the value of the 'Origin' request header will be used. In order to allow more than one origin it is possible to use a regular expression, if it matches with Origin header value, the value will be set to the Origin Value. In case it does not match, the header will not set at all. Example: '(api|web).test.com' wil match both 'api.test.com' and 'web.test.com'." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "http_proxy": [ + { + "summary": "Adds an HTTP proxy to the service.", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "name": "Proxy Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "conditional": [ + { + "summary": "Executes a policy chain conditionally.", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ], + "name": "Conditional Policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "required": [ + "condition" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "echo": [ + { + "summary": "Prints the request back to the client and optionally sets a status code.", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ], + "name": "Echo", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_referrer": [ + { + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "description": "Sends the 'Referer' to 3scale backend for validation.", + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "url_rewriting": [ + { + "summary": "Allows to modify the path of a request.", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ], + "name": "URL Rewriting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "methods": { + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "type": "array", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "$id": "#/definitions/methods" + } + }, + "properties": { + "query_args_commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "methods": { + "$ref": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value" + } + }, + "required": [ + "op", + "arg" + ], + "type": "object" + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + } + }, + "required": [ + "op", + "regex", + "replace" + ], + "type": "object" + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "jwt_claim_check": [ + { + "summary": "Allow or deny traffic based on a JWT claim", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ], + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "type": "string" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "description": "Operations to perform the condition", + "type": "array" + }, + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "required": [ + "resource" + ] + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "keycloak_role_check": [ + { + "summary": "Adds role check with Keycloak.", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ], + "name": "RH-SSO/Keycloak Role Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "type": { + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ], + "default": "whitelist", + "description": "Type of the role check" + }, + "scopes": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + }, + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "realm_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "properties": { + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "name": { + "description": "Name of the role", + "type": "string" + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "client": { + "description": "Client of the role.", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Client roles" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ] + } +} diff --git a/doc/policies_list/3.11.0/policies.json b/doc/policies_list/3.11.0/policies.json new file mode 100644 index 000000000..291662596 --- /dev/null +++ b/doc/policies_list/3.11.0/policies.json @@ -0,0 +1,2953 @@ +{ + "policies": { + "oauth_mtls": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ] + } + ], + "websocket": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Websocket", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Allows websocket connection pass through.", + "version": "builtin", + "description": [ + "A policy which allows Websocket traffic for the service" + ] + } + ], + "camel": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "Camel Service", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + } + }, + "type": "object" + }, + "summary": "Adds an Camel proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "apicast": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale APIcast", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "version": "builtin", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ] + } + ], + "default_credentials": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Anonymous Access", + "configuration": { + "required": [ + "auth_type" + ], + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + }, + "required": [ + "user_key" + ] + }, + { + "properties": { + "app_id": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_key": { + "type": "string" + } + }, + "required": [ + "app_id", + "app_key" + ] + } + ] + } + }, + "properties": { + "auth_type": { + "default": "user_key", + "enum": [ + "user_key", + "app_id_and_app_key" + ], + "type": "string" + } + }, + "type": "object" + }, + "summary": "Provides default credentials for unauthenticated requests.", + "version": "builtin", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ] + } + ], + "statuscode_overwrite": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "HTTP Status Code Overwrite", + "configuration": { + "definitions": { + "codes": { + "items": { + "required": [ + "upstream", + "apicast" + ], + "properties": { + "apicast": { + "maximum": 600, + "minimum": 100, + "title": "Return HTTP code", + "description": "HTTP code to return", + "type": "integer" + }, + "upstream": { + "maximum": 600, + "minimum": 100, + "title": "Upstream", + "description": "Upstream HTTP code to replace", + "type": "integer" + } + }, + "type": "object" + }, + "description": "List of codes to overwrite", + "type": "array" + } + }, + "properties": { + "http_statuses": { + "title": "HTTP status codes map", + "$ref": "#/definitions/codes" + } + }, + "type": "object" + }, + "summary": "Modify the HTTP status code returned by the upstream", + "version": "builtin", + "description": [ + "Configures a 1-1 mapping for upstream's http codes." + ] + } + ], + "caching": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale Auth Caching", + "configuration": { + "required": [ + "caching_type" + ], + "properties": { + "caching_type": { + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "description": "Caching mode", + "type": "string" + } + }, + "type": "object" + }, + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "version": "builtin", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ] + } + ], + "tls_validation": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "TLS Client Certificate Validation", + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "$id": "#/definitions/certificate", + "type": "object" + } + }, + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted." + } + }, + "type": "object" + }, + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "version": "builtin", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ] + } + ], + "3scale_referrer": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale Referrer", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "version": "builtin", + "description": "Sends the 'Referer' to 3scale backend for validation." + } + ], + "jwt_claim_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "JWT Claim Check", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "rules": { + "items": { + "required": [ + "resource" + ], + "properties": { + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "items": { + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "properties": { + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "type": "string" + } + }, + "type": "object" + }, + "description": "Operations to perform the condition", + "type": "array" + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string" + }, + "methods": { + "default": [ + "ANY" + ], + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + } + } + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "type": "object" + }, + "summary": "Allow or deny traffic based on a JWT claim", + "version": "builtin", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ] + } + ], + "upstream_connection": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Upstream Connection", + "configuration": { + "properties": { + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + }, + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + } + }, + "type": "object" + }, + "summary": "Allows to configure several options for the connections to the upstream", + "version": "builtin", + "description": "Allows to configure several options for the connections to the upstream" + } + ], + "url_rewriting": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "URL Rewriting", + "configuration": { + "definitions": { + "methods": { + "type": "array", + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "$id": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + } + }, + "properties": { + "query_args_commands": { + "items": { + "required": [ + "op", + "arg" + ], + "properties": { + "value_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'value'", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "methods": { + "$ref": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + }, + "value": { + "type": "string", + "description": "Value" + }, + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + } + }, + "type": "object" + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "required": [ + "op", + "regex", + "replace" + ], + "properties": { + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + } + }, + "type": "object" + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + }, + "summary": "Allows to modify the path of a request.", + "version": "builtin", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ] + } + ], + "payload_limits": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Response/Request content limits", + "configuration": { + "required": [ + "request", + "response" + ], + "properties": { + "request": { + "default": 0, + "minimum": 0, + "title": "The request limit in bytes", + "examples": [ + 0 + ], + "type": "integer", + "description": "Request limit in bytes, 0 allows all" + }, + "response": { + "default": 0, + "minimum": 0, + "title": "The response limit in bytes", + "examples": [ + 0 + ], + "type": "integer", + "description": "Response limit in bytes, 0 allows all" + } + }, + "type": "object" + }, + "summary": "Limit request or response base on the size of the content", + "version": "builtin", + "description": [ + "This policy add limits based on request or response content size." + ] + } + ], + "liquid_context_debug": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + }, + { + "version": "builtin", + "name": "upstream" + }, + { + "version": "builtin", + "name": "routing" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Liquid Context Debug", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Inspects the available liquid context.", + "version": "builtin", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ] + } + ], + "grpc": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "HTTP2 Endpoint", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "version": "builtin", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ] + } + ], + "conditional": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Conditional Policy [Tech preview]", + "configuration": { + "required": [ + "condition" + ], + "definitions": { + "condition": { + "properties": { + "operations": { + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string" + } + }, + "description": "Condition to be evaluated", + "$id": "#/definitions/condition", + "type": "object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "left": { + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "type": "object" + }, + "summary": "Executes a policy chain conditionally.", + "version": "builtin", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ] + } + ], + "echo": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Echo", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + } + }, + "type": "object" + }, + "summary": "Prints the request back to the client and optionally sets a status code.", + "version": "builtin", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ] + } + ], + "keycloak_role_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "RH-SSO/Keycloak Role Check", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "type": { + "default": "whitelist", + "enum": [ + "whitelist", + "blacklist" + ], + "type": "string", + "description": "Type of the role check" + }, + "scopes": { + "items": { + "properties": { + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "realm_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "client": { + "description": "Client of the role.", + "type": "string" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Client roles" + }, + "methods": { + "default": [ + "ANY" + ], + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "summary": "Adds role check with Keycloak.", + "version": "builtin", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ] + } + ], + "ip_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "IP Check", + "configuration": { + "required": [ + "ips", + "check_type" + ], + "properties": { + "client_ip_sources": { + "default": [ + "last_caller" + ], + "maxItems": 3, + "type": "array", + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Get the IP from the proxy_protocol_addr variable", + "enum": [ + "proxy_protocol_addr" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "minItems": 1, + "description": "Specifies how to get the client IP and in which order the options are tried" + }, + "error_msg": { + "default": "IP address not allowed", + "description": "", + "type": "string" + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + } + }, + "type": "object" + }, + "summary": "Accepts or denies a request based on the IP.", + "version": "builtin", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ] + } + ], + "routing": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Routing", + "configuration": { + "definitions": { + "operation": { + "dependencies": { + "match": { + "oneOf": [ + { + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + }, + "required": [ + "header_name" + ] + }, + { + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + }, + "required": [ + "query_arg_name" + ] + }, + { + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + }, + "required": [ + "jwt_claim_name" + ] + }, + { + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + }, + "required": [ + "liquid_value" + ] + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "$id": "#/definitions/operation", + "required": [ + "match", + "op", + "value" + ], + "properties": { + "value": { + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ], + "type": "string" + }, + "value_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + } + }, + "type": "object" + } + }, + "properties": { + "rules": { + "items": { + "required": [ + "url" + ], + "properties": { + "replace_path": { + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path", + "type": "string" + }, + "url": { + "type": "string" + }, + "owner_id": { + "description": "Value to only increment hits on the mapping rules owner by the same id. ", + "type": "integer" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "summary": "Allows to modify the upstream URL of the request.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ] + } + ], + "tls": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "TLS Termination", + "configuration": { + "properties": { + "certificates": { + "title": "TLS certificates", + "items": { + "anyOf": [ + { + "title": "Certificate from local filesystem", + "properties": { + "certificate_path": { + "title": "Path to the certificate", + "type": "string" + }, + "certificate_key_path": { + "title": "Path to the certificate private key", + "type": "string" + } + }, + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "title": "Embedded certificate", + "properties": { + "certificate_key": { + "format": "data-url", + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "title": "PEM formatted certificate private key", + "type": "string" + }, + "certificate": { + "format": "data-url", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate", + "type": "string" + } + }, + "required": [ + "certificate", + "certificate_key" + ] + } + ], + "type": "object" + }, + "type": "array", + "description": "The first valid certificate is going to be served to the client." + } + }, + "type": "object" + }, + "summary": "Configure TLS termination certificates", + "version": "builtin", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ] + } + ], + "upstream": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Upstream", + "configuration": { + "properties": { + "rules": { + "items": { + "required": [ + "regex", + "url" + ], + "properties": { + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "url": { + "type": "string", + "description": "New URL in case of match" + } + }, + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "summary": "Allows to modify the upstream URL of the request based on its path.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ] + } + ], + "nginx_filters": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Nginx Filter", + "configuration": { + "required": [ + "headers" + ], + "properties": { + "headers": { + "title": "Headers to filter", + "items": { + "required": [ + "name", + "append" + ], + "properties": { + "append": { + "title": "Append header to upstream", + "type": "boolean" + }, + "name": { + "title": "Header Name", + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + } + }, + "type": "object" + }, + "summary": "Skip nginx filters on certain headers", + "version": "builtin", + "description": [ + "Nginx, by default, checks/validates some request headers. This policy allows the user to skips these checks and sends them to the upstream servers. " + ] + } + ], + "3scale_batcher": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "3scale Batcher", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "summary": "Caches auths from 3scale backend and batches reports.", + "version": "builtin", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ] + } + ], + "rate_limit": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Edge Limiting", + "configuration": { + "definitions": { + "key": { + "properties": { + "name_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "type": "string" + }, + "scope": { + "default": "service", + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "type": "string", + "description": "Scope of the key" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object" + }, + "error_handling": { + "default": "exit", + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "type": "string", + "description": "How to handle an error" + }, + "condition": { + "properties": { + "operations": { + "minItems": 0, + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string" + } + }, + "description": "Condition to be evaluated", + "$id": "#/definitions/condition", + "type": "object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "left": { + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "fixed_window_limiters": { + "items": { + "required": [ + "key", + "count", + "window" + ], + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + }, + "window": { + "default": 1, + "minimum": 0, + "type": "integer", + "description": "The time window in seconds before the request count is reset" + } + }, + "type": "object" + }, + "type": "array" + }, + "configuration_error": { + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "default": 500, + "type": "integer", + "description": "The status code when there is some configuration issue" + } + }, + "type": "object" + }, + "connection_limiters": { + "items": { + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + } + }, + "type": "object" + }, + "type": "array" + }, + "leaky_bucket_limiters": { + "items": { + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + }, + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "default": 429, + "type": "integer", + "description": "The status code when requests over the limit" + } + }, + "type": "object" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + } + }, + "type": "object" + }, + "summary": "Adds rate limit.", + "version": "builtin", + "description": [ + "This policy adds rate limit." + ] + } + ], + "headers": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Header Modification", + "configuration": { + "definitions": { + "commands": { + "items": { + "required": [ + "op", + "header" + ], + "properties": { + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + }, + "value_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'value'", + "type": "string" + }, + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + } + }, + "type": "object" + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "request": { + "$ref": "#/definitions/commands" + }, + "response": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + }, + "summary": "Allows to include custom headers.", + "version": "builtin", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ] + } + ], + "logging": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Logging", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "properties": { + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + }, + "json_object_config": { + "items": { + "properties": { + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "String to get request information" + } + }, + "type": "object" + }, + "type": "array" + }, + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "custom_logging": { + "title": "Custom logging format", + "type": "string", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries" + }, + "condition": { + "properties": { + "operations": { + "items": { + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "properties": { + "match": { + "type": "string", + "description": "String to get request information to match" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare match field with the provided value", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "combine_op": { + "default": "and", + "enum": [ + "and", + "or" + ], + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "summary": "Controls logging.", + "version": "builtin", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ] + } + ], + "token_introspection": [ + { + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "name": "OAuth 2.0 Token Introspection", + "configuration": { + "required": [ + "auth_type" + ], + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ], + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting." + } + } + }, + { + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "enum": [ + "client_id+client_secret" + ], + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret." + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + } + }, + "required": [ + "client_id", + "client_secret", + "introspection_url" + ] + } + ] + } + }, + "properties": { + "max_cached_tokens": { + "description": "Max number of tokens to cache", + "minimum": 0, + "maximum": 10000, + "type": "integer" + }, + "auth_type": { + "default": "client_id+client_secret", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ], + "type": "string" + }, + "max_ttl_tokens": { + "description": "Max TTL for cached tokens", + "minimum": 1, + "maximum": 3600, + "type": "integer" + } + }, + "type": "object" + }, + "summary": "Configures OAuth 2.0 Token Introspection.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ] + } + ], + "maintenance_mode": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Maintenance Mode", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "left": { + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "status": { + "default": 503, + "type": "integer", + "description": "HTTP status code to return" + }, + "condition": { + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "properties": { + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + }, + "message": { + "default": "Service Unavailable - Maintenance", + "type": "string", + "description": "HTTP response to return" + }, + "message_content_type": { + "default": "text/plain; charset=utf-8", + "type": "string", + "description": "Content-Type header for the response" + } + }, + "type": "object" + }, + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "version": "builtin", + "description": [ + "A policy which allows you to reject incoming requests with a specified status code and message. ", + "It's useful for maintenance periods or to temporarily block an API. \n", + "It allows to select a list of Upstream URLs for which to enable the maintenance mode." + ] + } + ], + "content_caching": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "Content caching", + "configuration": { + "definitions": { + "rule": { + "$id": "#/definitions/rule", + "title": "Rule", + "required": [ + "cache" + ], + "properties": { + "header": { + "title": "Header name ", + "default": "X-Cache-Status", + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)", + "type": "string" + }, + "condition": { + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "properties": { + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + }, + "cache": { + "title": "Enable cache if match", + "default": false, + "type": "boolean" + } + }, + "type": "object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "left": { + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "rules": { + "minItems": 1, + "title": "Rules", + "items": { + "$ref": "#/definitions/rule" + }, + "type": "array", + "description": "Rules to enable/disable caching" + } + }, + "type": "object" + }, + "summary": "Option to enable content caching on responses.", + "version": "builtin", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ] + } + ], + "upstream_mtls": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Upstream Mutual TLS", + "configuration": { + "dependencies": { + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate_type": { + "const": "embedded" + }, + "certificate": { + "title": "Certificate", + "format": "data-url", + "type": "string" + } + } + }, + { + "properties": { + "certificate_type": { + "const": "path" + }, + "certificate": { + "title": "Certificate", + "type": "string" + } + } + } + ] + }, + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key": { + "title": "Certificate Key", + "format": "data-url", + "type": "string" + }, + "certificate_key_type": { + "const": "embedded" + } + } + }, + { + "properties": { + "certificate_key": { + "title": "Certificate Key", + "type": "string" + }, + "certificate_key_type": { + "const": "path" + } + } + } + ] + } + }, + "required": [ + "certificate_type", + "certificate_key_type" + ], + "title": "Upstream MTLS", + "description": "Built-in Upstream MTLS APIcast policy", + "properties": { + "certificate_type": { + "title": "Certificate type", + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string" + }, + "certificate_key_type": { + "title": "Certificate key type", + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string" + }, + "verify": { + "description": "Verify upstream connection", + "type": "boolean" + }, + "ca_certificates": { + "title": "CA certificates", + "items": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "summary": "Certificates to be used with the upstream API", + "version": "builtin", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config" + } + ], + "http_proxy": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "name": "Proxy Service", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + } + }, + "type": "object" + }, + "summary": "Adds an HTTP proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "soap": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "SOAP", + "configuration": { + "properties": { + "mapping_rules": { + "items": { + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "properties": { + "metric_system_name": { + "type": "string", + "description": "Metric." + }, + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + }, + "delta": { + "type": "integer", + "description": "Value." + } + }, + "type": "object" + }, + "description": "Mapping rules.", + "type": "array" + } + }, + "type": "object" + }, + "summary": "Adds support for a small subset of SOAP.", + "version": "builtin", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ] + } + ], + "on_failed": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "On fail", + "configuration": { + "properties": { + "error_status_code": { + "description": "Status code that will send to the user if any policy fails", + "minimum": 100, + "exclusiveMaximum": 700, + "type": "integer" + } + }, + "type": "object" + }, + "summary": "Block request if any policy fails", + "version": "builtin", + "description": "When a policy fails, this policy allows to set an error message back to the user and stop processing the request to the upstream API." + } + ], + "rewrite_url_captures": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "URL Rewriting with Captures", + "configuration": { + "definitions": { + "methods": { + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "type": "array" + } + }, + "properties": { + "transformations": { + "items": { + "properties": { + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + }, + "methods": { + "$ref": "#/definitions/methods" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "version": "builtin", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ] + } + ], + "retry": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Retry", + "configuration": { + "properties": { + "retries": { + "description": "Number of retries", + "minimum": 1, + "maximum": 10, + "type": "integer" + } + }, + "type": "object" + }, + "summary": "Allows to retry requests to the upstream", + "version": "builtin", + "description": "Allows to retry requests to the upstream" + } + ], + "custom_metrics": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Custom Metrics", + "configuration": { + "properties": { + "rules": { + "minItems": 1, + "items": { + "$ref": "#/definitions/custom_metrics_rule" + }, + "type": "array" + } + }, + "definitions": { + "custom_metrics_rule": { + "required": [ + "metric", + "condition", + "increment" + ], + "properties": { + "metric": { + "title": "Metric to increment ", + "default": "", + "description": "Metric name to increment in case of condition match (liquid input)", + "type": "string" + }, + "increment": { + "title": "Increment ", + "default": "1", + "description": "How many hits should be incremented, liquid value ", + "type": "string" + }, + "condition": { + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "properties": { + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "right": { + "type": "string" + }, + "left_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "left": { + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + } + }, + "summary": "Custom metrics on Nginx post actions ", + "version": "builtin", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ] + } + ], + "rate_limit_headers": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "Rate Limits Headers", + "configuration": {}, + "summary": "Set rate limit headers on response", + "version": "builtin", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ] + } + ], + "cors": [ + { + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "name": "CORS Request Handling", + "configuration": { + "properties": { + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_methods": { + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. 'https://example.com') or '*'. If left blank, the value of the 'Origin' request header will be used. In order to allow more than one origin it is possible to use a regular expression, if it matches with Origin header value, the value will be set to the Origin Value. In case it does not match, the header will not set at all. Example: '(api|web).test.com' wil match both 'api.test.com' and 'web.test.com'." + }, + "max_age": { + "type": "integer", + "description": "The ttl of the preflight response (default: 600)" + } + }, + "type": "object" + }, + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "version": "builtin", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ] + } + ] + } +} diff --git a/doc/policies_list/3.11.1/policies.json b/doc/policies_list/3.11.1/policies.json new file mode 100644 index 000000000..f3aa3004b --- /dev/null +++ b/doc/policies_list/3.11.1/policies.json @@ -0,0 +1,2953 @@ +{ + "policies": { + "nginx_filters": [ + { + "name": "Nginx Filter", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Skip nginx filters on certain headers", + "version": "builtin", + "description": [ + "Nginx, by default, checks/validates some request headers. This policy allows the user to skips these checks and sends them to the upstream servers. " + ], + "configuration": { + "properties": { + "headers": { + "items": { + "properties": { + "name": { + "type": "string", + "title": "Header Name" + }, + "append": { + "type": "boolean", + "title": "Append header to upstream" + } + }, + "type": "object", + "required": [ + "name", + "append" + ] + }, + "title": "Headers to filter", + "type": "array", + "minItems": 1 + } + }, + "type": "object", + "required": [ + "headers" + ] + } + } + ], + "rate_limit": [ + { + "name": "Edge Limiting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Adds rate limit.", + "version": "builtin", + "description": [ + "This policy adds rate limit." + ], + "configuration": { + "definitions": { + "key": { + "properties": { + "name": { + "type": "string", + "description": "The name of the key, must be unique in the scope" + }, + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'name'", + "type": "string" + }, + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "default": "service", + "type": "string", + "description": "Scope of the key" + } + }, + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object", + "type": "object" + }, + "condition": { + "properties": { + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array", + "minItems": 0 + }, + "combine_op": { + "default": "and", + "type": "string", + "enum": [ + "and", + "or" + ] + } + }, + "$id": "#/definitions/condition", + "type": "object", + "description": "Condition to be evaluated" + }, + "operation": { + "properties": { + "left": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'right'", + "type": "string" + }, + "right": { + "type": "string" + }, + "op": { + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "$id": "#/definitions/operation", + "type": "object", + "required": [ + "left", + "op", + "right" + ] + }, + "error_handling": { + "$id": "#/definitions/error_handling", + "default": "exit", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "type": "string", + "description": "How to handle an error" + } + }, + "properties": { + "connection_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "burst": { + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed", + "type": "integer", + "minimum": 0 + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + } + } + } + }, + "redis_url": { + "description": "URL of Redis", + "type": "string" + }, + "limits_exceeded_error": { + "type": "object", + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "default": 429, + "type": "integer", + "description": "The status code when requests over the limit" + } + } + }, + "leaky_bucket_limiters": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "burst": { + "description": "The number of excessive requests per second allowed to be delayed", + "type": "integer", + "minimum": 0 + }, + "condition": { + "$ref": "#/definitions/condition" + } + } + } + }, + "fixed_window_limiters": { + "type": "array", + "items": { + "properties": { + "key": { + "$ref": "#/definitions/key" + }, + "window": { + "default": 1, + "description": "The time window in seconds before the request count is reset", + "type": "integer", + "minimum": 0 + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + } + }, + "configuration_error": { + "type": "object", + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "default": 500, + "type": "integer", + "description": "The status code when there is some configuration issue" + } + } + } + }, + "type": "object" + } + } + ], + "logging": [ + { + "name": "Logging", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Controls logging.", + "version": "builtin", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ], + "configuration": { + "definitions": { + "value_type": { + "type": "string", + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "properties": { + "json_object_config": { + "type": "array", + "items": { + "type": "object", + "properties": { + "key": { + "description": "Key for the the json object", + "type": "string" + }, + "value": { + "description": "String to get request information", + "type": "string" + }, + "value_type": { + "description": "How to evaluate 'value' field", + "$ref": "#/definitions/value_type" + } + } + } + }, + "enable_access_logs": { + "description": "Whether to enable access logs for the service", + "type": "boolean" + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "properties": { + "match_type": { + "description": "How to evaluate 'match' value", + "$ref": "#/definitions/value_type" + }, + "value_type": { + "description": "How to evaluate 'value' field", + "$ref": "#/definitions/value_type" + }, + "match": { + "description": "String to get request information to match", + "type": "string" + }, + "value": { + "description": "Value to compare the retrieved match", + "type": "string" + }, + "op": { + "type": "string", + "description": "Match operation to compare match field with the provided value", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "type": "object", + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ] + } + }, + "combine_op": { + "default": "and", + "type": "string", + "enum": [ + "and", + "or" + ] + } + } + }, + "custom_logging": { + "title": "Custom logging format", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries", + "type": "string" + }, + "enable_json_logs": { + "description": "To enable logs in json format. Custom logging format will be disabled", + "type": "boolean" + } + }, + "type": "object" + } + } + ], + "maintenance_mode": [ + { + "name": "Maintenance Mode", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "version": "builtin", + "description": [ + "A policy which allows you to reject incoming requests with a specified status code and message. ", + "It's useful for maintenance periods or to temporarily block an API. \n", + "It allows to select a list of Upstream URLs for which to enable the maintenance mode." + ], + "configuration": { + "definitions": { + "operation": { + "properties": { + "left": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'right'", + "type": "string" + }, + "right": { + "type": "string" + }, + "op": { + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "$id": "#/definitions/operation", + "type": "object", + "required": [ + "left", + "op", + "right" + ] + } + }, + "properties": { + "message": { + "default": "Service Unavailable - Maintenance", + "type": "string", + "description": "HTTP response to return" + }, + "condition": { + "properties": { + "combine_op": { + "default": "and", + "title": "Combine operation", + "type": "string", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array", + "minItems": 1 + } + }, + "title": "Condition", + "type": "object", + "required": [ + "combine_op", + "operations" + ] + }, + "message_content_type": { + "default": "text/plain; charset=utf-8", + "type": "string", + "description": "Content-Type header for the response" + }, + "status": { + "default": 503, + "type": "integer", + "description": "HTTP status code to return" + } + }, + "type": "object" + } + } + ], + "upstream_mtls": [ + { + "name": "Upstream Mutual TLS", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Certificates to be used with the upstream API", + "version": "builtin", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config", + "configuration": { + "title": "Upstream MTLS", + "dependencies": { + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key_type": { + "const": "embedded" + }, + "certificate_key": { + "title": "Certificate Key", + "format": "data-url", + "type": "string" + } + } + }, + { + "properties": { + "certificate_key_type": { + "const": "path" + }, + "certificate_key": { + "type": "string", + "title": "Certificate Key" + } + } + } + ] + }, + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate": { + "title": "Certificate", + "format": "data-url", + "type": "string" + }, + "certificate_type": { + "const": "embedded" + } + } + }, + { + "properties": { + "certificate": { + "type": "string", + "title": "Certificate" + }, + "certificate_type": { + "const": "path" + } + } + } + ] + } + }, + "properties": { + "certificate_key_type": { + "default": "path", + "title": "Certificate key type", + "type": "string", + "enum": [ + "path", + "embedded" + ] + }, + "verify": { + "type": "boolean", + "description": "Verify upstream connection" + }, + "ca_certificates": { + "items": { + "title": "PEM formatted certificate", + "type": "string", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----" + }, + "title": "CA certificates", + "type": "array" + }, + "certificate_type": { + "default": "path", + "title": "Certificate type", + "type": "string", + "enum": [ + "path", + "embedded" + ] + } + }, + "description": "Built-in Upstream MTLS APIcast policy", + "type": "object", + "required": [ + "certificate_type", + "certificate_key_type" + ] + } + } + ], + "rewrite_url_captures": [ + { + "name": "URL Rewriting with Captures", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "version": "builtin", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ], + "configuration": { + "definitions": { + "methods": { + "items": { + "type": "string", + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ] + }, + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "type": "array" + } + }, + "properties": { + "transformations": { + "type": "array", + "items": { + "type": "object", + "properties": { + "match_rule": { + "type": "string", + "description": "Rule to be matched" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "template": { + "type": "string", + "description": "Template in which the matched args are replaced" + } + } + } + } + }, + "type": "object" + } + } + ], + "custom_metrics": [ + { + "name": "Custom Metrics", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Custom metrics on Nginx post actions ", + "version": "builtin", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ], + "configuration": { + "definitions": { + "operation": { + "properties": { + "left": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'right'", + "type": "string" + }, + "right": { + "type": "string" + }, + "op": { + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "$id": "#/definitions/operation", + "type": "object", + "required": [ + "left", + "op", + "right" + ] + }, + "custom_metrics_rule": { + "properties": { + "increment": { + "default": "1", + "title": "Increment ", + "type": "string", + "description": "How many hits should be incremented, liquid value " + }, + "metric": { + "default": "", + "title": "Metric to increment ", + "type": "string", + "description": "Metric name to increment in case of condition match (liquid input)" + }, + "condition": { + "properties": { + "combine_op": { + "default": "and", + "title": "Combine operation", + "type": "string", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array", + "minItems": 1 + } + }, + "title": "Condition", + "type": "object", + "required": [ + "combine_op", + "operations" + ] + } + }, + "type": "object", + "required": [ + "metric", + "condition", + "increment" + ] + } + }, + "properties": { + "rules": { + "items": { + "$ref": "#/definitions/custom_metrics_rule" + }, + "type": "array", + "minItems": 1 + } + } + } + } + ], + "cors": [ + { + "name": "CORS Request Handling", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "version": "builtin", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "configuration": { + "type": "object", + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_methods": { + "items": { + "type": "string", + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. 'https://example.com') or '*'. If left blank, the value of the 'Origin' request header will be used. In order to allow more than one origin it is possible to use a regular expression, if it matches with Origin header value, the value will be set to the Origin Value. In case it does not match, the header will not set at all. Example: '(api|web).test.com' wil match both 'api.test.com' and 'web.test.com'.", + "type": "string" + }, + "max_age": { + "description": "The ttl of the preflight response (default: 600)", + "type": "integer" + }, + "allow_credentials": { + "description": "Whether the request can be made using credentials", + "type": "boolean" + } + } + } + } + ], + "3scale_batcher": [ + { + "name": "3scale Batcher", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Caches auths from 3scale backend and batches reports.", + "version": "builtin", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ], + "configuration": { + "type": "object", + "properties": { + "batch_report_seconds": { + "description": "Duration (in seconds) for batching reports", + "type": "integer" + }, + "auths_ttl": { + "description": "TTL for cached auths in seconds", + "type": "integer" + } + } + } + } + ], + "oauth_mtls": [ + { + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ], + "configuration": { + "type": "object", + "properties": {} + } + } + ], + "websocket": [ + { + "name": "Websocket", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows websocket connection pass through.", + "version": "builtin", + "description": [ + "A policy which allows Websocket traffic for the service" + ], + "configuration": { + "type": "object", + "properties": {} + } + } + ], + "camel": [ + { + "name": "Camel Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Adds an Camel proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "configuration": { + "type": "object", + "properties": { + "http_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported", + "type": "string" + }, + "all_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported.", + "type": "string" + }, + "https_proxy": { + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported", + "type": "string" + } + } + } + } + ], + "upstream": [ + { + "name": "Upstream", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Allows to modify the upstream URL of the request based on its path.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "configuration": { + "type": "object", + "properties": { + "rules": { + "items": { + "properties": { + "regex": { + "description": "Regular expression to be matched", + "type": "string" + }, + "url": { + "description": "New URL in case of match", + "type": "string" + } + }, + "type": "object", + "required": [ + "regex", + "url" + ] + }, + "description": "List of rules to be applied", + "type": "array" + } + } + } + } + ], + "default_credentials": [ + { + "name": "Anonymous Access", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Provides default credentials for unauthenticated requests.", + "version": "builtin", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "configuration": { + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_id": { + "type": "string" + } + } + } + ] + } + }, + "properties": { + "auth_type": { + "default": "user_key", + "type": "string", + "enum": [ + "user_key", + "app_id_and_app_key" + ] + } + }, + "type": "object", + "required": [ + "auth_type" + ] + } + } + ], + "caching": [ + { + "name": "3scale Auth Caching", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "version": "builtin", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ], + "configuration": { + "properties": { + "caching_type": { + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "description": "Caching mode", + "type": "string" + } + }, + "type": "object", + "required": [ + "caching_type" + ] + } + } + ], + "tls_validation": [ + { + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "version": "builtin", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ], + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "$id": "#/definitions/certificate", + "type": "object", + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "type": "string", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----" + } + } + } + }, + "properties": { + "whitelist": { + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted.", + "$ref": "#/definitions/store" + } + }, + "type": "object" + } + } + ], + "3scale_referrer": [ + { + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "version": "builtin", + "description": "Sends the 'Referer' to 3scale backend for validation.", + "configuration": { + "type": "object", + "properties": {} + } + } + ], + "rate_limit_headers": [ + { + "name": "Rate Limits Headers", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Set rate limit headers on response", + "version": "builtin", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ], + "configuration": {} + } + ], + "jwt_claim_check": [ + { + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allow or deny traffic based on a JWT claim", + "version": "builtin", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ], + "configuration": { + "definitions": { + "value_type": { + "$id": "#/definitions/value_type", + "type": "string", + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "properties": { + "rules": { + "type": "array", + "items": { + "properties": { + "combine_op": { + "default": "and", + "type": "string", + "enum": [ + "and", + "or" + ] + }, + "methods": { + "items": { + "type": "string", + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "default": [ + "ANY" + ], + "description": "Allowed methods", + "type": "array" + }, + "resource": { + "type": "string", + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end." + }, + "resource_type": { + "description": "How to evaluate 'resource' field", + "$ref": "#/definitions/value_type" + }, + "operations": { + "items": { + "properties": { + "jwt_claim": { + "description": "String to get JWT claim", + "type": "string" + }, + "jwt_claim_type": { + "description": "How to evaluate 'jwt_claim' value", + "$ref": "#/definitions/value_type" + }, + "value_type": { + "description": "How to evaluate 'value' field", + "$ref": "#/definitions/value_type" + }, + "value": { + "description": "Value to compare the retrieved JWT claim", + "type": "string" + }, + "op": { + "type": "string", + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "type": "object", + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ] + }, + "description": "Operations to perform the condition", + "type": "array" + } + }, + "required": [ + "resource" + ] + } + }, + "error_message": { + "title": "Error message", + "description": "Error message to show to user when traffic is blocked", + "type": "string" + } + }, + "type": "object" + } + } + ], + "upstream_connection": [ + { + "name": "Upstream Connection", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to configure several options for the connections to the upstream", + "version": "builtin", + "description": "Allows to configure several options for the connections to the upstream", + "configuration": { + "type": "object", + "properties": { + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "description": "Timeout for establishing a connection (in seconds).", + "type": "integer" + }, + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + } + } + } + } + ], + "url_rewriting": [ + { + "name": "URL Rewriting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to modify the path of a request.", + "version": "builtin", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ], + "configuration": { + "definitions": { + "methods": { + "items": { + "type": "string", + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ] + }, + "$id": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "type": "array" + } + }, + "properties": { + "query_args_commands": { + "items": { + "properties": { + "methods": { + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "$ref": "#/definitions/methods" + }, + "value_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'value'", + "type": "string" + }, + "arg": { + "description": "Query argument", + "type": "string" + }, + "value": { + "description": "Value", + "type": "string" + }, + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + } + }, + "type": "object", + "required": [ + "op", + "arg" + ] + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "properties": { + "replace": { + "description": "String that will replace what is matched by the regex", + "type": "string" + }, + "break": { + "description": "when set to true, if the command rewrote the URL, it will be the last one applied", + "type": "boolean" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + }, + "regex": { + "description": "Regular expression to be matched", + "type": "string" + }, + "options": { + "description": "Options that define how the regex matching is performed", + "type": "string" + } + }, + "type": "object", + "required": [ + "op", + "regex", + "replace" + ] + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + } + } + ], + "liquid_context_debug": [ + { + "name": "Liquid Context Debug", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + }, + { + "name": "upstream", + "version": "builtin" + }, + { + "name": "routing", + "version": "builtin" + } + ] + }, + "summary": "Inspects the available liquid context.", + "version": "builtin", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "configuration": { + "type": "object", + "properties": {} + } + } + ], + "headers": [ + { + "name": "Header Modification", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to include custom headers.", + "version": "builtin", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ], + "configuration": { + "definitions": { + "commands": { + "items": { + "properties": { + "value_type": { + "default": "plain", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'value'", + "type": "string" + }, + "header": { + "description": "Header to be modified", + "type": "string" + }, + "value": { + "description": "Value that will be added, set or pushed in the header. Not needed when deleting.", + "type": "string" + }, + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + } + }, + "type": "object", + "required": [ + "op", + "header" + ] + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + } + } + ], + "grpc": [ + { + "name": "HTTP2 Endpoint", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "version": "builtin", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ], + "configuration": { + "type": "object", + "properties": {} + } + } + ], + "on_failed": [ + { + "name": "On fail", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Block request if any policy fails", + "version": "builtin", + "description": "When a policy fails, this policy allows to set an error message back to the user and stop processing the request to the upstream API.", + "configuration": { + "type": "object", + "properties": { + "error_status_code": { + "type": "integer", + "exclusiveMaximum": 700, + "description": "Status code that will send to the user if any policy fails", + "minimum": 100 + } + } + } + } + ], + "conditional": [ + { + "name": "Conditional Policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Executes a policy chain conditionally.", + "version": "builtin", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ], + "configuration": { + "definitions": { + "operation": { + "properties": { + "left": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'right'", + "type": "string" + }, + "right": { + "type": "string" + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=" + ] + } + }, + "$id": "#/definitions/operation", + "type": "object", + "required": [ + "left", + "op", + "right" + ] + }, + "condition": { + "properties": { + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array", + "minItems": 1 + }, + "combine_op": { + "default": "and", + "type": "string", + "enum": [ + "and", + "or" + ] + } + }, + "$id": "#/definitions/condition", + "type": "object", + "description": "Condition to be evaluated" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "type": "object", + "required": [ + "condition" + ] + } + } + ], + "token_introspection": [ + { + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "summary": "Configures OAuth 2.0 Token Introspection.", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ], + "configuration": { + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "description": "Introspection Endpoint URL", + "type": "string" + }, + "client_id": { + "description": "Client ID for the Token Introspection Endpoint", + "type": "string" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "description": "Client Secret for the Token Introspection Endpoint", + "type": "string" + } + } + } + ] + } + }, + "properties": { + "max_cached_tokens": { + "type": "integer", + "maximum": 10000, + "description": "Max number of tokens to cache", + "minimum": 0 + }, + "auth_type": { + "default": "client_id+client_secret", + "type": "string", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ] + }, + "max_ttl_tokens": { + "type": "integer", + "maximum": 3600, + "description": "Max TTL for cached tokens", + "minimum": 1 + } + }, + "type": "object", + "required": [ + "auth_type" + ] + } + } + ], + "echo": [ + { + "name": "Echo", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Prints the request back to the client and optionally sets a status code.", + "version": "builtin", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ], + "configuration": { + "type": "object", + "properties": { + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + }, + "status": { + "description": "HTTP status code to be returned", + "type": "integer" + } + } + } + } + ], + "payload_limits": [ + { + "name": "Response/Request content limits", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Limit request or response base on the size of the content", + "version": "builtin", + "description": [ + "This policy add limits based on request or response content size." + ], + "configuration": { + "properties": { + "response": { + "title": "The response limit in bytes", + "default": 0, + "examples": [ + 0 + ], + "description": "Response limit in bytes, 0 allows all", + "type": "integer", + "minimum": 0 + }, + "request": { + "title": "The request limit in bytes", + "default": 0, + "examples": [ + 0 + ], + "description": "Request limit in bytes, 0 allows all", + "type": "integer", + "minimum": 0 + } + }, + "type": "object", + "required": [ + "request", + "response" + ] + } + } + ], + "keycloak_role_check": [ + { + "name": "RH-SSO/Keycloak Role Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Adds role check with Keycloak.", + "version": "builtin", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ], + "configuration": { + "definitions": { + "value_type": { + "$id": "#/definitions/value_type", + "type": "string", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ] + } + }, + "properties": { + "scopes": { + "type": "array", + "items": { + "type": "object", + "properties": { + "realm_roles": { + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "Name of the role" + }, + "name_type": { + "description": "How to evaluate 'name'", + "$ref": "#/definitions/value_type" + } + } + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "description": "Name of the role" + }, + "client": { + "type": "string", + "description": "Client of the role." + }, + "name_type": { + "description": "How to evaluate 'name'", + "$ref": "#/definitions/value_type" + }, + "client_type": { + "description": "How to evaluate 'client'", + "$ref": "#/definitions/value_type" + } + } + }, + "type": "array", + "description": "Client roles" + }, + "methods": { + "items": { + "type": "string", + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ] + }, + "default": [ + "ANY" + ], + "description": "Allowed methods", + "type": "array" + }, + "resource_type": { + "description": "How to evaluate 'resource'", + "$ref": "#/definitions/value_type" + }, + "resource": { + "type": "string", + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end." + } + } + } + }, + "type": { + "default": "whitelist", + "description": "Type of the role check", + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ] + } + }, + "type": "object" + } + } + ], + "http_proxy": [ + { + "name": "Proxy Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Adds an HTTP proxy to the service.", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "configuration": { + "type": "object", + "properties": { + "http_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported", + "type": "string" + }, + "all_proxy": { + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported.", + "type": "string" + }, + "https_proxy": { + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported", + "type": "string" + } + } + } + } + ], + "ip_check": [ + { + "name": "IP Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Accepts or denies a request based on the IP.", + "version": "builtin", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ], + "configuration": { + "properties": { + "error_msg": { + "default": "IP address not allowed", + "description": "", + "type": "string" + }, + "client_ip_sources": { + "default": [ + "last_caller" + ], + "items": { + "type": "string", + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Get the IP from the proxy_protocol_addr variable", + "enum": [ + "proxy_protocol_addr" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ] + }, + "maxItems": 3, + "description": "Specifies how to get the client IP and in which order the options are tried", + "type": "array", + "minItems": 1 + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + } + }, + "type": "object", + "required": [ + "ips", + "check_type" + ] + } + } + ], + "soap": [ + { + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Adds support for a small subset of SOAP.", + "version": "builtin", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ], + "configuration": { + "type": "object", + "properties": { + "mapping_rules": { + "items": { + "properties": { + "pattern": { + "description": "Pattern to match against the request.", + "type": "string" + }, + "delta": { + "description": "Value.", + "type": "integer" + }, + "metric_system_name": { + "description": "Metric.", + "type": "string" + } + }, + "type": "object", + "required": [ + "pattern", + "metric_system_name", + "delta" + ] + }, + "description": "Mapping rules.", + "type": "array" + } + } + } + } + ], + "routing": [ + { + "name": "Routing", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "order": { + "before": [ + { + "name": "apicast", + "version": "builtin" + } + ] + }, + "summary": "Allows to modify the upstream URL of the request.", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "configuration": { + "definitions": { + "operation": { + "properties": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'type'", + "type": "string" + }, + "match": { + "type": "string", + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ] + }, + "value": { + "type": "string" + }, + "op": { + "type": "string", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "required": [ + "liquid_value" + ], + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "$id": "#/definitions/operation", + "type": "object", + "required": [ + "match", + "op", + "value" + ] + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string" + }, + "host_header": { + "description": "Host for the Host header. When not specified, defaults to the host of the URL.", + "type": "string" + }, + "condition": { + "type": "object", + "properties": { + "operations": { + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "default": "and", + "type": "string", + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "enum": [ + "and", + "or" + ] + } + } + }, + "owner_id": { + "type": "integer", + "description": "Value to only increment hits on the mapping rules owner by the same id. " + }, + "replace_path": { + "type": "string", + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path" + } + }, + "type": "object", + "required": [ + "url" + ] + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + } + } + ], + "content_caching": [ + { + "name": "Content caching", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Option to enable content caching on responses.", + "version": "builtin", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ], + "configuration": { + "definitions": { + "operation": { + "properties": { + "left": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'left'", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "description": "How to evaluate 'right'", + "type": "string" + }, + "right": { + "type": "string" + }, + "op": { + "type": "string", + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ] + } + }, + "$id": "#/definitions/operation", + "type": "object", + "required": [ + "left", + "op", + "right" + ] + }, + "rule": { + "title": "Rule", + "properties": { + "header": { + "default": "X-Cache-Status", + "title": "Header name ", + "type": "string", + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)" + }, + "cache": { + "title": "Enable cache if match", + "type": "boolean", + "default": false + }, + "condition": { + "properties": { + "combine_op": { + "default": "and", + "title": "Combine operation", + "type": "string", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array", + "minItems": 1 + } + }, + "title": "Condition", + "type": "object", + "required": [ + "combine_op", + "operations" + ] + } + }, + "$id": "#/definitions/rule", + "type": "object", + "required": [ + "cache" + ] + } + }, + "properties": { + "rules": { + "title": "Rules", + "items": { + "$ref": "#/definitions/rule" + }, + "description": "Rules to enable/disable caching", + "type": "array", + "minItems": 1 + } + }, + "type": "object" + } + } + ], + "statuscode_overwrite": [ + { + "name": "HTTP Status Code Overwrite", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Modify the HTTP status code returned by the upstream", + "version": "builtin", + "description": [ + "Configures a 1-1 mapping for upstream's http codes." + ], + "configuration": { + "definitions": { + "codes": { + "items": { + "properties": { + "apicast": { + "title": "Return HTTP code", + "maximum": 600, + "description": "HTTP code to return", + "type": "integer", + "minimum": 100 + }, + "upstream": { + "title": "Upstream", + "maximum": 600, + "description": "Upstream HTTP code to replace", + "type": "integer", + "minimum": 100 + } + }, + "type": "object", + "required": [ + "upstream", + "apicast" + ] + }, + "description": "List of codes to overwrite", + "type": "array" + } + }, + "properties": { + "http_statuses": { + "$ref": "#/definitions/codes", + "title": "HTTP status codes map" + } + }, + "type": "object" + } + } + ], + "tls": [ + { + "name": "TLS Termination", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Configure TLS termination certificates", + "version": "builtin", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ], + "configuration": { + "type": "object", + "properties": { + "certificates": { + "items": { + "type": "object", + "anyOf": [ + { + "properties": { + "certificate_path": { + "type": "string", + "title": "Path to the certificate" + }, + "certificate_key_path": { + "type": "string", + "title": "Path to the certificate private key" + } + }, + "title": "Certificate from local filesystem", + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "properties": { + "certificate_key": { + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "title": "PEM formatted certificate private key", + "type": "string", + "format": "data-url" + }, + "certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate", + "type": "string", + "format": "data-url" + } + }, + "title": "Embedded certificate", + "required": [ + "certificate", + "certificate_key" + ] + } + ] + }, + "title": "TLS certificates", + "description": "The first valid certificate is going to be served to the client.", + "type": "array" + } + } + } + } + ], + "retry": [ + { + "name": "Retry", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to retry requests to the upstream", + "version": "builtin", + "description": "Allows to retry requests to the upstream", + "configuration": { + "type": "object", + "properties": { + "retries": { + "type": "integer", + "maximum": 10, + "description": "Number of retries", + "minimum": 1 + } + } + } + } + ], + "apicast": [ + { + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "version": "builtin", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ], + "configuration": { + "type": "object", + "properties": {} + } + } + ] + } +} diff --git a/doc/policies_list/3.12.0/policies.json b/doc/policies_list/3.12.0/policies.json new file mode 100644 index 000000000..db9aa1c3e --- /dev/null +++ b/doc/policies_list/3.12.0/policies.json @@ -0,0 +1,2953 @@ +{ + "policies": { + "tls": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Configure TLS termination certificates", + "configuration": { + "properties": { + "certificates": { + "title": "TLS certificates", + "description": "The first valid certificate is going to be served to the client.", + "items": { + "anyOf": [ + { + "title": "Certificate from local filesystem", + "required": [ + "certificate_path", + "certificate_key_path" + ], + "properties": { + "certificate_key_path": { + "title": "Path to the certificate private key", + "type": "string" + }, + "certificate_path": { + "title": "Path to the certificate", + "type": "string" + } + } + }, + { + "title": "Embedded certificate", + "required": [ + "certificate", + "certificate_key" + ], + "properties": { + "certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "format": "data-url", + "type": "string" + }, + "certificate_key": { + "title": "PEM formatted certificate private key", + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "format": "data-url", + "type": "string" + } + } + } + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "name": "TLS Termination", + "version": "builtin", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ] + } + ], + "payload_limits": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Limit request or response base on the size of the content", + "configuration": { + "properties": { + "response": { + "default": 0, + "minimum": 0, + "title": "The response limit in bytes", + "description": "Response limit in bytes, 0 allows all", + "examples": [ + 0 + ], + "type": "integer" + }, + "request": { + "default": 0, + "minimum": 0, + "title": "The request limit in bytes", + "description": "Request limit in bytes, 0 allows all", + "examples": [ + 0 + ], + "type": "integer" + } + }, + "type": "object", + "required": [ + "request", + "response" + ] + }, + "name": "Response/Request content limits", + "version": "builtin", + "description": [ + "This policy add limits based on request or response content size." + ] + } + ], + "nginx_filters": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "headers" + ], + "type": "object", + "properties": { + "headers": { + "title": "Headers to filter", + "items": { + "required": [ + "name", + "append" + ], + "type": "object", + "properties": { + "append": { + "title": "Append header to upstream", + "type": "boolean" + }, + "name": { + "title": "Header Name", + "type": "string" + } + } + }, + "minItems": 1, + "type": "array" + } + } + }, + "summary": "Skip nginx filters on certain headers", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "Nginx Filter", + "version": "builtin", + "description": [ + "Nginx, by default, checks/validates some request headers. This policy allows the user to skips these checks and sends them to the upstream servers. " + ] + } + ], + "retry": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to retry requests to the upstream", + "configuration": { + "properties": { + "retries": { + "maximum": 10, + "description": "Number of retries", + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + }, + "name": "Retry", + "version": "builtin", + "description": "Allows to retry requests to the upstream" + } + ], + "rate_limit": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Adds rate limit.", + "configuration": { + "properties": { + "leaky_bucket_limiters": { + "items": { + "properties": { + "burst": { + "description": "The number of excessive requests per second allowed to be delayed", + "minimum": 0, + "type": "integer" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "rate": { + "description": "The specified request rate (number per second) threshold", + "exclusiveMinimum": 0, + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "description": "The status code when requests over the limit", + "default": 429, + "type": "integer" + } + }, + "type": "object" + }, + "fixed_window_limiters": { + "items": { + "properties": { + "count": { + "description": "The specified number of requests threshold", + "exclusiveMinimum": 0, + "type": "integer" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "window": { + "minimum": 0, + "description": "The time window in seconds before the request count is reset", + "default": 1, + "type": "integer" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + }, + "type": "array" + }, + "configuration_error": { + "properties": { + "error_handling": { + "$ref": "#/definitions/error_handling" + }, + "status_code": { + "description": "The status code when there is some configuration issue", + "default": 500, + "type": "integer" + } + }, + "type": "object" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + }, + "connection_limiters": { + "items": { + "properties": { + "conn": { + "description": "The maximum number of concurrent requests allowed", + "exclusiveMinimum": 0, + "type": "integer" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "burst": { + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed", + "minimum": 0, + "type": "integer" + }, + "delay": { + "description": "The default processing latency of a typical connection (or request)", + "exclusiveMinimum": 0, + "type": "number" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object", + "definitions": { + "condition": { + "$id": "#/definitions/condition", + "description": "Condition to be evaluated", + "properties": { + "operations": { + "type": "array", + "minItems": 0, + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + } + }, + "type": "object" + }, + "error_handling": { + "$id": "#/definitions/error_handling", + "default": "exit", + "description": "How to handle an error", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "type": "string" + }, + "key": { + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object", + "properties": { + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "default": "plain", + "type": "string" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + }, + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "description": "Scope of the key", + "default": "service", + "type": "string" + } + }, + "type": "object" + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left": { + "type": "string" + }, + "op": { + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + }, + "right": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "name": "Edge Limiting", + "version": "builtin", + "description": [ + "This policy adds rate limit." + ] + } + ], + "logging": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Controls logging.", + "configuration": { + "properties": { + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "condition": { + "properties": { + "operations": { + "items": { + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "type": "object", + "properties": { + "op": { + "description": "Match operation to compare match field with the provided value", + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "match": { + "type": "string", + "description": "String to get request information to match" + } + } + }, + "type": "array" + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + } + }, + "type": "object" + }, + "custom_logging": { + "title": "Custom logging format", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries", + "type": "string" + }, + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + }, + "json_object_config": { + "items": { + "properties": { + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value": { + "type": "string", + "description": "String to get request information" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "type": "object" + }, + "name": "Logging", + "version": "builtin", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ] + } + ], + "maintenance_mode": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "configuration": { + "properties": { + "status": { + "description": "HTTP status code to return", + "default": 503, + "type": "integer" + }, + "message_content_type": { + "description": "Content-Type header for the response", + "default": "text/plain; charset=utf-8", + "type": "string" + }, + "message": { + "description": "HTTP response to return", + "default": "Service Unavailable - Maintenance", + "type": "string" + }, + "condition": { + "title": "Condition", + "properties": { + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "required": [ + "combine_op", + "operations" + ], + "type": "object" + } + }, + "definitions": { + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left": { + "type": "string" + }, + "op": { + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + }, + "right": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": "Maintenance Mode", + "version": "builtin", + "description": [ + "A policy which allows you to reject incoming requests with a specified status code and message. ", + "It's useful for maintenance periods or to temporarily block an API. \n", + "It allows to select a list of Upstream URLs for which to enable the maintenance mode." + ] + } + ], + "upstream_mtls": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Certificates to be used with the upstream API", + "configuration": { + "dependencies": { + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key_type": { + "const": "embedded" + }, + "certificate_key": { + "title": "Certificate Key", + "format": "data-url", + "type": "string" + } + } + }, + { + "properties": { + "certificate_key_type": { + "const": "path" + }, + "certificate_key": { + "title": "Certificate Key", + "type": "string" + } + } + } + ] + }, + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate": { + "title": "Certificate", + "format": "data-url", + "type": "string" + }, + "certificate_type": { + "const": "embedded" + } + } + }, + { + "properties": { + "certificate": { + "title": "Certificate", + "type": "string" + }, + "certificate_type": { + "const": "path" + } + } + } + ] + } + }, + "properties": { + "ca_certificates": { + "title": "CA certificates", + "items": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + }, + "type": "array" + }, + "certificate_type": { + "title": "Certificate type", + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string" + }, + "certificate_key_type": { + "title": "Certificate key type", + "enum": [ + "path", + "embedded" + ], + "default": "path", + "type": "string" + }, + "verify": { + "description": "Verify upstream connection", + "type": "boolean" + } + }, + "title": "Upstream MTLS", + "description": "Built-in Upstream MTLS APIcast policy", + "type": "object", + "required": [ + "certificate_type", + "certificate_key_type" + ] + }, + "name": "Upstream Mutual TLS", + "version": "builtin", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config" + } + ], + "rewrite_url_captures": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "configuration": { + "properties": { + "transformations": { + "items": { + "properties": { + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + }, + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "methods": { + "$ref": "#/definitions/methods" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "definitions": { + "methods": { + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "name": "URL Rewriting with Captures", + "version": "builtin", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ] + } + ], + "custom_metrics": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/custom_metrics_rule" + } + } + }, + "definitions": { + "custom_metrics_rule": { + "properties": { + "increment": { + "title": "Increment ", + "description": "How many hits should be incremented, liquid value ", + "default": "1", + "type": "string" + }, + "condition": { + "title": "Condition", + "properties": { + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "required": [ + "combine_op", + "operations" + ], + "type": "object" + }, + "metric": { + "title": "Metric to increment ", + "description": "Metric name to increment in case of condition match (liquid input)", + "default": "", + "type": "string" + } + }, + "type": "object", + "required": [ + "metric", + "condition", + "increment" + ] + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left": { + "type": "string" + }, + "op": { + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + }, + "right": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "summary": "Custom metrics on Nginx post actions ", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "Custom Metrics", + "version": "builtin", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ] + } + ], + "cors": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "allow_headers": { + "description": "Allowed headers", + "items": { + "type": "string" + }, + "type": "array" + }, + "allow_methods": { + "description": "Allowed methods", + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. 'https://example.com') or '*'. If left blank, the value of the 'Origin' request header will be used. In order to allow more than one origin it is possible to use a regular expression, if it matches with Origin header value, the value will be set to the Origin Value. In case it does not match, the header will not set at all. Example: '(api|web).test.com' wil match both 'api.test.com' and 'web.test.com'." + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "max_age": { + "type": "integer", + "description": "The ttl of the preflight response (default: 600)" + } + }, + "type": "object" + }, + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "CORS Request Handling", + "version": "builtin", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ] + } + ], + "ip_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Accepts or denies a request based on the IP.", + "configuration": { + "required": [ + "ips", + "check_type" + ], + "type": "object", + "properties": { + "client_ip_sources": { + "maxItems": 3, + "default": [ + "last_caller" + ], + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Get the IP from the proxy_protocol_addr variable", + "enum": [ + "proxy_protocol_addr" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "minItems": 1, + "type": "array" + }, + "error_msg": { + "description": "", + "default": "IP address not allowed", + "type": "string" + }, + "check_type": { + "description": "The type of check to apply", + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "type": "string" + }, + "ips": { + "description": "List of IPs", + "items": { + "type": "string" + }, + "type": "array" + } + } + }, + "name": "IP Check", + "version": "builtin", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ] + } + ], + "routing": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "description": "List of rules to be applied", + "items": { + "required": [ + "url" + ], + "type": "object", + "properties": { + "url": { + "type": "string" + }, + "replace_path": { + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path", + "type": "string" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "default": "and", + "type": "string" + } + }, + "type": "object" + }, + "owner_id": { + "description": "Value to only increment hits on the mapping rules owner by the same id. ", + "type": "integer" + } + } + }, + "type": "array" + } + }, + "type": "object", + "definitions": { + "operation": { + "$id": "#/definitions/operation", + "properties": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "default": "plain", + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ], + "type": "string" + } + }, + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "required": [ + "liquid_value" + ], + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "type": "object", + "required": [ + "match", + "op", + "value" + ] + } + } + }, + "summary": "Allows to modify the upstream URL of the request.", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "Routing", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ] + } + ], + "camel": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Adds an Camel proxy to the service.", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + } + }, + "type": "object" + }, + "name": "Camel Service", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "default_credentials": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "user_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "user_key" + ] + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_id": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_key": { + "type": "string" + } + } + } + ] + } + }, + "required": [ + "auth_type" + ], + "type": "object", + "properties": { + "auth_type": { + "enum": [ + "user_key", + "app_id_and_app_key" + ], + "default": "user_key", + "type": "string" + } + } + }, + "summary": "Provides default credentials for unauthenticated requests.", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "Anonymous Access", + "version": "builtin", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ] + } + ], + "caching": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "configuration": { + "properties": { + "caching_type": { + "description": "Caching mode", + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "type": "string" + } + }, + "type": "object", + "required": [ + "caching_type" + ] + }, + "name": "3scale Auth Caching", + "version": "builtin", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ] + } + ], + "http_proxy": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Adds an HTTP proxy to the service.", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + } + }, + "type": "object" + }, + "name": "Proxy Service", + "version": "builtin", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ] + } + ], + "tls_validation": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "configuration": { + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "description": "Individual certificates and CA certificates to be whitelisted.", + "title": "Certificate Whitelist" + } + }, + "type": "object", + "definitions": { + "certificate": { + "$id": "#/definitions/certificate", + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "type": "object" + }, + "store": { + "$id": "#/definitions/store", + "items": { + "$ref": "#/definitions/certificate" + }, + "type": "array" + } + } + }, + "name": "TLS Client Certificate Validation", + "version": "builtin", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ] + } + ], + "3scale_batcher": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Caches auths from 3scale backend and batches reports.", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "name": "3scale Batcher", + "version": "builtin", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ] + } + ], + "upstream": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "description": "List of rules to be applied", + "items": { + "required": [ + "regex", + "url" + ], + "type": "object", + "properties": { + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "url": { + "type": "string", + "description": "New URL in case of match" + } + } + }, + "type": "array" + } + }, + "type": "object" + }, + "summary": "Allows to modify the upstream URL of the request based on its path.", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "Upstream", + "version": "builtin", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ] + } + ], + "headers": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to include custom headers.", + "configuration": { + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object", + "definitions": { + "commands": { + "description": "List of operations to apply to the headers", + "items": { + "required": [ + "op", + "header" + ], + "type": "object", + "properties": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'value'", + "default": "plain", + "type": "string" + }, + "op": { + "description": "Operation to be applied", + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "type": "string" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + } + }, + "type": "array" + } + } + }, + "name": "Header Modification", + "version": "builtin", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ] + } + ], + "on_failed": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "error_status_code": { + "exclusiveMaximum": 700, + "description": "Status code that will send to the user if any policy fails", + "minimum": 100, + "type": "integer" + } + }, + "type": "object" + }, + "summary": "Block request if any policy fails", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "name": "On fail", + "version": "builtin", + "description": "When a policy fails, this policy allows to set an error message back to the user and stop processing the request to the upstream API." + } + ], + "jwt_claim_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allow or deny traffic based on a JWT claim", + "configuration": { + "properties": { + "rules": { + "items": { + "properties": { + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "description": "Operations to perform the condition", + "items": { + "properties": { + "op": { + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "required": [ + "resource" + ] + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "description": "Error message to show to user when traffic is blocked", + "type": "string" + } + }, + "definitions": { + "value_type": { + "$id": "#/definitions/value_type", + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "type": "object" + }, + "name": "JWT Claim Check", + "version": "builtin", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ] + } + ], + "token_introspection": [ + { + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "summary": "Configures OAuth 2.0 Token Introspection.", + "configuration": { + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + } + } + } + ] + } + }, + "required": [ + "auth_type" + ], + "type": "object", + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "description": "Max TTL for cached tokens", + "minimum": 1, + "type": "integer" + }, + "auth_type": { + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ], + "default": "client_id+client_secret", + "type": "string" + }, + "max_cached_tokens": { + "maximum": 10000, + "description": "Max number of tokens to cache", + "minimum": 0, + "type": "integer" + } + } + }, + "name": "OAuth 2.0 Token Introspection", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ] + } + ], + "upstream_connection": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to configure several options for the connections to the upstream", + "configuration": { + "properties": { + "read_timeout": { + "description": "Timeout between two successive read operations (in seconds).", + "exclusiveMinimum": 0, + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "send_timeout": { + "description": "Timeout between two successive write operations (in seconds).", + "exclusiveMinimum": 0, + "type": "number" + } + }, + "type": "object" + }, + "name": "Upstream Connection", + "version": "builtin", + "description": "Allows to configure several options for the connections to the upstream" + } + ], + "rate_limit_headers": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Set rate limit headers on response", + "configuration": {}, + "name": "Rate Limits Headers", + "version": "builtin", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ] + } + ], + "url_rewriting": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows to modify the path of a request.", + "configuration": { + "properties": { + "query_args_commands": { + "description": "List of commands to apply to the query string args", + "items": { + "required": [ + "op", + "arg" + ], + "type": "object", + "properties": { + "op": { + "description": "Operation to apply to the query argument", + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "type": "string" + }, + "value": { + "type": "string", + "description": "Value" + }, + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'value'", + "default": "plain", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "methods": { + "$ref": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + } + } + }, + "type": "array" + }, + "commands": { + "description": "List of rewriting commands to be applied", + "items": { + "required": [ + "op", + "regex", + "replace" + ], + "type": "object", + "properties": { + "op": { + "description": "Operation to be applied (sub or gsub)", + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "type": "string" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + } + } + }, + "type": "array" + } + }, + "definitions": { + "methods": { + "$id": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "name": "URL Rewriting", + "version": "builtin", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ] + } + ], + "soap": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Adds support for a small subset of SOAP.", + "configuration": { + "properties": { + "mapping_rules": { + "description": "Mapping rules.", + "items": { + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object", + "properties": { + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + }, + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + } + } + }, + "type": "array" + } + }, + "type": "object" + }, + "name": "SOAP", + "version": "builtin", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ] + } + ], + "liquid_context_debug": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "summary": "Inspects the available liquid context.", + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + }, + { + "version": "builtin", + "name": "upstream" + }, + { + "version": "builtin", + "name": "routing" + } + ] + }, + "name": "Liquid Context Debug", + "version": "builtin", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ] + } + ], + "content_caching": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Option to enable content caching on responses.", + "configuration": { + "properties": { + "rules": { + "items": { + "$ref": "#/definitions/rule" + }, + "title": "Rules", + "description": "Rules to enable/disable caching", + "minItems": 1, + "type": "array" + } + }, + "type": "object", + "definitions": { + "rule": { + "$id": "#/definitions/rule", + "properties": { + "cache": { + "title": "Enable cache if match", + "default": false, + "type": "boolean" + }, + "condition": { + "title": "Condition", + "properties": { + "combine_op": { + "title": "Combine operation", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "required": [ + "combine_op", + "operations" + ], + "type": "object" + }, + "header": { + "title": "Header name ", + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)", + "default": "X-Cache-Status", + "type": "string" + } + }, + "title": "Rule", + "type": "object", + "required": [ + "cache" + ] + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left": { + "type": "string" + }, + "op": { + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + }, + "right": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "name": "Content caching", + "version": "builtin", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ] + } + ], + "grpc": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "configuration": { + "properties": {}, + "type": "object" + }, + "name": "HTTP2 Endpoint", + "version": "builtin", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ] + } + ], + "statuscode_overwrite": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Modify the HTTP status code returned by the upstream", + "configuration": { + "properties": { + "http_statuses": { + "title": "HTTP status codes map", + "$ref": "#/definitions/codes" + } + }, + "type": "object", + "definitions": { + "codes": { + "description": "List of codes to overwrite", + "items": { + "properties": { + "upstream": { + "minimum": 100, + "title": "Upstream", + "description": "Upstream HTTP code to replace", + "maximum": 600, + "type": "integer" + }, + "apicast": { + "minimum": 100, + "title": "Return HTTP code", + "description": "HTTP code to return", + "maximum": 600, + "type": "integer" + } + }, + "type": "object", + "required": [ + "upstream", + "apicast" + ] + }, + "type": "array" + } + } + }, + "name": "HTTP Status Code Overwrite", + "version": "builtin", + "description": [ + "Configures a 1-1 mapping for upstream's http codes." + ] + } + ], + "websocket": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Allows websocket connection pass through.", + "configuration": { + "properties": {}, + "type": "object" + }, + "name": "Websocket", + "version": "builtin", + "description": [ + "A policy which allows Websocket traffic for the service" + ] + } + ], + "conditional": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Executes a policy chain conditionally.", + "configuration": { + "required": [ + "condition" + ], + "properties": { + "policy_chain": { + "description": "The policy chain to execute when the condition is true", + "items": { + "type": "object" + }, + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "type": "object", + "definitions": { + "condition": { + "$id": "#/definitions/condition", + "description": "Condition to be evaluated", + "properties": { + "operations": { + "type": "array", + "minItems": 1, + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + } + }, + "type": "object" + }, + "operation": { + "$id": "#/definitions/operation", + "required": [ + "left", + "op", + "right" + ], + "properties": { + "left": { + "type": "string" + }, + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + }, + "right": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "name": "Conditional Policy [Tech preview]", + "version": "builtin", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ] + } + ], + "oauth_mtls": [ + { + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "configuration": { + "properties": {}, + "type": "object" + }, + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "version": "builtin", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ] + } + ], + "echo": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Prints the request back to the client and optionally sets a status code.", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "description": "Exit mode", + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "type": "string" + } + }, + "type": "object" + }, + "name": "Echo", + "version": "builtin", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ] + } + ], + "apicast": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "configuration": { + "properties": {}, + "type": "object" + }, + "name": "3scale APIcast", + "version": "builtin", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ] + } + ], + "keycloak_role_check": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Adds role check with Keycloak.", + "configuration": { + "properties": { + "type": { + "enum": [ + "whitelist", + "blacklist" + ], + "description": "Type of the role check", + "default": "whitelist", + "type": "string" + }, + "scopes": { + "items": { + "properties": { + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "client_roles": { + "description": "Client roles", + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + }, + "client": { + "description": "Client of the role.", + "type": "string" + }, + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + } + }, + "type": "object" + }, + "type": "array" + }, + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + }, + "realm_roles": { + "description": "Realm roles", + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object", + "definitions": { + "value_type": { + "$id": "#/definitions/value_type", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + } + }, + "name": "RH-SSO/Keycloak Role Check", + "version": "builtin", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ] + } + ], + "3scale_referrer": [ + { + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "configuration": { + "properties": {}, + "type": "object" + }, + "name": "3scale Referrer", + "version": "builtin", + "description": "Sends the 'Referer' to 3scale backend for validation." + } + ] + } +} diff --git a/doc/policies_list/3.6.0/policies.json b/doc/policies_list/3.6.0/policies.json new file mode 100644 index 000000000..9cdf4aa7a --- /dev/null +++ b/doc/policies_list/3.6.0/policies.json @@ -0,0 +1,1782 @@ +{ + "policies": { + "token_introspection": [ + { + "summary": "Configures OAuth 2.0 Token Introspection.", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ], + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "minimum": 1, + "description": "Max TTL for cached tokens", + "type": "integer" + }, + "max_cached_tokens": { + "maximum": 10000, + "minimum": 0, + "description": "Max number of tokens to cache", + "type": "integer" + }, + "auth_type": { + "type": "string", + "default": "client_id+client_secret", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "conditional": [ + { + "summary": "Executes a policy chain conditionally.", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ], + "name": "Conditional policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "required": [ + "condition" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "upstream": [ + { + "summary": "Allows to modify the upstream URL of the request based on its path.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "name": "Upstream", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string", + "description": "New URL in case of match" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + } + }, + "required": [ + "regex", + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "retry": [ + { + "summary": "Allows to retry requests to the upstream", + "description": "Allows to retry requests to the upstream", + "name": "Retry", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "retries": { + "maximum": 10, + "minimum": 1, + "description": "Number of retries", + "type": "integer" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "default_credentials": [ + { + "summary": "Provides default credentials for unauthenticated requests.", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "name": "Anonymous access", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "auth_type": { + "type": "string", + "default": "user_key", + "enum": [ + "user_key", + "app_id_and_app_key" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_id": { + "type": "string" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rewrite_url_captures": [ + { + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ], + "name": "URL rewriting with captures", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "transformations": { + "items": { + "properties": { + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "jwt_claim_check": [ + { + "summary": "Allow or deny traffic based on a JWT claim", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ], + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "type": "string" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "description": "Operations to perform the condition", + "type": "array" + }, + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "required": [ + "resource" + ] + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "logging": [ + { + "summary": "Controls logging.", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service." + ], + "name": "Logging", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "soap": [ + { + "summary": "Adds support for a small subset of SOAP.", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ], + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "mapping_rules": { + "items": { + "properties": { + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + }, + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + } + }, + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object" + }, + "description": "Mapping rules.", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "liquid_context_debug": [ + { + "summary": "Inspects the available liquid context.", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "name": "Liquid context debug", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream_connection": [ + { + "summary": "Allows to configure several options for the connections to the upstream", + "description": "Allows to configure several options for the connections to the upstream", + "name": "Upstream connection", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_batcher": [ + { + "summary": "Caches auths from 3scale backend and batches reports.", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ], + "name": "3scale batcher", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "headers": [ + { + "summary": "Allows to include custom headers.", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ], + "name": "Header modification", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + }, + "required": [ + "op", + "header" + ], + "type": "object" + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit": [ + { + "summary": "Adds rate limit.", + "description": [ + "This policy adds rate limit." + ], + "name": "Edge limiting", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "error_handling": { + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "description": "How to handle an error", + "default": "exit", + "type": "string" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + }, + "key": { + "type": "object", + "properties": { + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "type": "string", + "default": "service", + "description": "Scope of the key" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + }, + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "default": "plain", + "type": "string" + } + }, + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + } + }, + "properties": { + "connection_limiters": { + "items": { + "properties": { + "condition": { + "$ref": "#/definitions/condition" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 429, + "description": "The status code when requests over the limit" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "configuration_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 500, + "description": "The status code when there is some configuration issue" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "fixed_window_limiters": { + "items": { + "properties": { + "window": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The time window in seconds before the request count is reset" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + } + }, + "type": "object" + }, + "type": "array" + }, + "leaky_bucket_limiters": { + "items": { + "properties": { + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + } + }, + "type": "object" + }, + "type": "array" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "routing": [ + { + "summary": "Allows to modify the upstream URL of the request.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "name": "Routing", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "required": [ + "match", + "op", + "value" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string" + }, + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "default": "plain", + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim" + ], + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "combine_op": { + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "apicast": [ + { + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ], + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "tls_validation": [ + { + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ], + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "$id": "#/definitions/certificate", + "type": "object" + } + }, + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "caching": [ + { + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ], + "name": "3scale auth caching", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "caching_type": { + "description": "Caching mode", + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "default": "none", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "keycloak_role_check": [ + { + "summary": "Adds role check with Keycloak.", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ], + "name": "RH-SSO/Keycloak role check", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "type": { + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ], + "default": "whitelist", + "description": "Type of the role check" + }, + "scopes": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + }, + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "realm_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "properties": { + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "name": { + "description": "Name of the role", + "type": "string" + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "client": { + "description": "Client of the role.", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Client roles" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "echo": [ + { + "summary": "Prints the request back to the client and optionally sets a status code.", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ], + "name": "Echo", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "cors": [ + { + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "name": "CORS", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "allow_methods": { + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. https://example.com) or '*'. If left blank, the value of the 'Origin' request header will be used." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "url_rewriting": [ + { + "summary": "Allows to modify the path of a request.", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ], + "name": "URL rewriting", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "query_args_commands": { + "required": [ + "op", + "arg", + "value" + ], + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value" + } + }, + "type": "object" + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + } + }, + "required": [ + "op", + "regex", + "replace" + ], + "type": "object" + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "ip_check": [ + { + "summary": "Accepts or denies a request based on the IP.", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ], + "name": "IP check", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "error_msg": { + "description": "", + "default": "IP address not allowed", + "type": "string" + }, + "client_ip_sources": { + "maxItems": 3, + "minItems": 1, + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "default": [ + "last_caller" + ], + "type": "array" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + } + }, + "required": [ + "ips", + "check_type" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_referrer": [ + { + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "description": "Sends the 'Referer' to 3scale backend for validation.", + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ] + } +} diff --git a/doc/policies_list/3.7.0/policies.json b/doc/policies_list/3.7.0/policies.json new file mode 100644 index 000000000..6c47cfcb2 --- /dev/null +++ b/doc/policies_list/3.7.0/policies.json @@ -0,0 +1,2102 @@ +{ + "policies": { + "token_introspection": [ + { + "summary": "Configures OAuth 2.0 Token Introspection.", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ], + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "minimum": 1, + "description": "Max TTL for cached tokens", + "type": "integer" + }, + "max_cached_tokens": { + "maximum": 10000, + "minimum": 0, + "description": "Max number of tokens to cache", + "type": "integer" + }, + "auth_type": { + "type": "string", + "default": "client_id+client_secret", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "conditional": [ + { + "summary": "Executes a policy chain conditionally.", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ], + "name": "Conditional policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "required": [ + "condition" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "upstream": [ + { + "name": "Upstream", + "summary": "Allows to modify the upstream URL of the request based on its path.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string", + "description": "New URL in case of match" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + } + }, + "required": [ + "regex", + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "retry": [ + { + "summary": "Allows to retry requests to the upstream", + "description": "Allows to retry requests to the upstream", + "name": "Retry", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "retries": { + "maximum": 10, + "minimum": 1, + "description": "Number of retries", + "type": "integer" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "default_credentials": [ + { + "name": "Anonymous access", + "summary": "Provides default credentials for unauthenticated requests.", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "auth_type": { + "type": "string", + "default": "user_key", + "enum": [ + "user_key", + "app_id_and_app_key" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_id": { + "type": "string" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "cors": [ + { + "name": "CORS", + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "allow_methods": { + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. https://example.com) or '*'. If left blank, the value of the 'Origin' request header will be used." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "jwt_claim_check": [ + { + "summary": "Allow or deny traffic based on a JWT claim", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ], + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "type": "string" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "description": "Operations to perform the condition", + "type": "array" + }, + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "required": [ + "resource" + ] + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "logging": [ + { + "summary": "Controls logging.", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ], + "name": "Logging", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "properties": { + "condition": { + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare match field with the provided value", + "type": "string" + }, + "match": { + "type": "string", + "description": "String to get request information to match" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + } + }, + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "custom_logging": { + "title": "Custom logging format", + "type": "string", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries" + }, + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + }, + "json_object_config": { + "items": { + "properties": { + "value": { + "type": "string", + "description": "String to get request information" + }, + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "soap": [ + { + "summary": "Adds support for a small subset of SOAP.", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ], + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "mapping_rules": { + "items": { + "properties": { + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + }, + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + } + }, + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object" + }, + "description": "Mapping rules.", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "caching": [ + { + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ], + "name": "3scale auth caching", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "caching_type": { + "description": "Caching mode", + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "default": "none", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_batcher": [ + { + "summary": "Caches auths from 3scale backend and batches reports.", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ], + "name": "3scale batcher", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream_connection": [ + { + "summary": "Allows to configure several options for the connections to the upstream", + "description": "Allows to configure several options for the connections to the upstream", + "name": "Upstream connection", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "headers": [ + { + "summary": "Allows to include custom headers.", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ], + "name": "Header modification", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + }, + "required": [ + "op", + "header" + ], + "type": "object" + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "liquid_context_debug": [ + { + "name": "Liquid context debug", + "summary": "Inspects the available liquid context.", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + }, + { + "version": "builtin", + "name": "upstream" + }, + { + "version": "builtin", + "name": "routing" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "routing": [ + { + "name": "Routing", + "summary": "Allows to modify the upstream URL of the request.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "required": [ + "liquid_value" + ], + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "required": [ + "match", + "op", + "value" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string" + }, + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "default": "plain", + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ], + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "owner_id": { + "description": "Value to only increment hits on the mapping rules owner by the same id. ", + "type": "integer" + }, + "url": { + "type": "string" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "combine_op": { + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace_path": { + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path", + "type": "string" + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "tls_validation": [ + { + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ], + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "$id": "#/definitions/certificate", + "type": "object" + } + }, + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "keycloak_role_check": [ + { + "summary": "Adds role check with Keycloak.", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ], + "name": "RH-SSO/Keycloak role check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "type": { + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ], + "default": "whitelist", + "description": "Type of the role check" + }, + "scopes": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + }, + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "realm_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "properties": { + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "name": { + "description": "Name of the role", + "type": "string" + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "client": { + "description": "Client of the role.", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Client roles" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "tls": [ + { + "summary": "Configure TLS termination certificates", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ], + "name": "TLS Termination", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "certificates": { + "items": { + "anyOf": [ + { + "properties": { + "certificate_path": { + "title": "Path to the certificate", + "type": "string" + }, + "certificate_key_path": { + "title": "Path to the certificate private key", + "type": "string" + } + }, + "title": "Embedded certificate", + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "properties": { + "certificate_key": { + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "title": "PEM formatted certificate private key", + "type": "string", + "format": "data-url" + }, + "certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate", + "type": "string", + "format": "data-url" + } + }, + "title": "Certificate from local filesystem", + "required": [ + "certificate", + "certificate_key" + ] + } + ], + "type": "object" + }, + "title": "TLS certificates", + "type": "array", + "description": "The first valid certificate is going to be served to the client." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "oauth_mtls": [ + { + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/draft-ietf-oauth-mtls-12) for every API call." + ], + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "apicast": [ + { + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ], + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_referrer": [ + { + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "description": "Sends the 'Referer' to 3scale backend for validation.", + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "http_proxy": [ + { + "summary": "Adds an HTTP proxy to the service.", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "name": "Proxy service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "maintenance_mode": [ + { + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "description": [ + "A policy which allows you reject incoming requests with a specified status code and message.", + "It's useful for maintenance periods or to temporarily block an API." + ], + "name": "Maintenance Mode", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "message_content_type": { + "type": "string", + "default": "text/plain; charset=utf-8", + "description": "Content-Type header for the response" + }, + "status": { + "type": "integer", + "default": 503, + "description": "HTTP status code to return" + }, + "message": { + "type": "string", + "default": "Service Unavailable - Maintenance", + "description": "HTTP response to return" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "echo": [ + { + "summary": "Prints the request back to the client and optionally sets a status code.", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ], + "name": "Echo", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rewrite_url_captures": [ + { + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ], + "name": "URL rewriting with captures", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "transformations": { + "items": { + "properties": { + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "url_rewriting": [ + { + "summary": "Allows to modify the path of a request.", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ], + "name": "URL rewriting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "query_args_commands": { + "required": [ + "op", + "arg", + "value" + ], + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value" + } + }, + "type": "object" + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + } + }, + "required": [ + "op", + "regex", + "replace" + ], + "type": "object" + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "ip_check": [ + { + "summary": "Accepts or denies a request based on the IP.", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ], + "name": "IP check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "error_msg": { + "description": "", + "default": "IP address not allowed", + "type": "string" + }, + "client_ip_sources": { + "maxItems": 3, + "minItems": 1, + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "default": [ + "last_caller" + ], + "type": "array" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + } + }, + "required": [ + "ips", + "check_type" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit": [ + { + "summary": "Adds rate limit.", + "description": [ + "This policy adds rate limit." + ], + "name": "Edge limiting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "error_handling": { + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "description": "How to handle an error", + "default": "exit", + "type": "string" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + }, + "key": { + "type": "object", + "properties": { + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "type": "string", + "default": "service", + "description": "Scope of the key" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + }, + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "default": "plain", + "type": "string" + } + }, + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + } + }, + "properties": { + "connection_limiters": { + "items": { + "properties": { + "condition": { + "$ref": "#/definitions/condition" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 429, + "description": "The status code when requests over the limit" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "configuration_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 500, + "description": "The status code when there is some configuration issue" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "fixed_window_limiters": { + "items": { + "properties": { + "window": { + "exclusiveMinimum": 0, + "type": "integer", + "default": 1, + "description": "The time window in seconds before the request count is reset" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + }, + "type": "array" + }, + "leaky_bucket_limiters": { + "items": { + "properties": { + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + } + }, + "type": "object" + }, + "type": "array" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + } + }, + "type": "object" + }, + "version": "builtin" + } + ] + } +} diff --git a/doc/policies_list/3.8.0/policies.json b/doc/policies_list/3.8.0/policies.json new file mode 100644 index 000000000..0ed3b8a5f --- /dev/null +++ b/doc/policies_list/3.8.0/policies.json @@ -0,0 +1,2132 @@ +{ + "policies": { + "token_introspection": [ + { + "summary": "Configures OAuth 2.0 Token Introspection.", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ], + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "minimum": 1, + "description": "Max TTL for cached tokens", + "type": "integer" + }, + "max_cached_tokens": { + "maximum": 10000, + "minimum": 0, + "description": "Max number of tokens to cache", + "type": "integer" + }, + "auth_type": { + "type": "string", + "default": "client_id+client_secret", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "websocket": [ + { + "summary": "Allows websocket connection pass through.", + "description": [ + "A policy which allows Websocket traffic for the service" + ], + "name": "Websocket", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream": [ + { + "name": "Upstream", + "summary": "Allows to modify the upstream URL of the request based on its path.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string", + "description": "New URL in case of match" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + } + }, + "required": [ + "regex", + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "retry": [ + { + "summary": "Allows to retry requests to the upstream", + "description": "Allows to retry requests to the upstream", + "name": "Retry", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "retries": { + "maximum": 10, + "minimum": 1, + "description": "Number of retries", + "type": "integer" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "default_credentials": [ + { + "name": "Anonymous Access", + "summary": "Provides default credentials for unauthenticated requests.", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "auth_type": { + "type": "string", + "default": "user_key", + "enum": [ + "user_key", + "app_id_and_app_key" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_id": { + "type": "string" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "cors": [ + { + "name": "CORS Request Handling", + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "allow_methods": { + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. https://example.com) or '*'. If left blank, the value of the 'Origin' request header will be used." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "jwt_claim_check": [ + { + "summary": "Allow or deny traffic based on a JWT claim", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ], + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "type": "string" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "description": "Operations to perform the condition", + "type": "array" + }, + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "required": [ + "resource" + ] + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_batcher": [ + { + "summary": "Caches auths from 3scale backend and batches reports.", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ], + "name": "3scale Batcher", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "headers": [ + { + "summary": "Allows to include custom headers.", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ], + "name": "Header Modification", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + }, + "required": [ + "op", + "header" + ], + "type": "object" + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "logging": [ + { + "summary": "Controls logging.", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ], + "name": "Logging", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "properties": { + "condition": { + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare match field with the provided value", + "type": "string" + }, + "match": { + "type": "string", + "description": "String to get request information to match" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + } + }, + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "custom_logging": { + "title": "Custom logging format", + "type": "string", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries" + }, + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + }, + "json_object_config": { + "items": { + "properties": { + "value": { + "type": "string", + "description": "String to get request information" + }, + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "soap": [ + { + "summary": "Adds support for a small subset of SOAP.", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ], + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "mapping_rules": { + "items": { + "properties": { + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + }, + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + } + }, + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object" + }, + "description": "Mapping rules.", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "caching": [ + { + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ], + "name": "3scale Auth Caching", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "caching_type": { + "description": "Caching mode", + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "default": "none", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "grpc": [ + { + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ], + "name": "HTTP2 Endpoint", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream_connection": [ + { + "summary": "Allows to configure several options for the connections to the upstream", + "description": "Allows to configure several options for the connections to the upstream", + "name": "Upstream Connection", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "routing": [ + { + "name": "Routing", + "summary": "Allows to modify the upstream URL of the request.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "required": [ + "liquid_value" + ], + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "required": [ + "match", + "op", + "value" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string" + }, + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "default": "plain", + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ], + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "owner_id": { + "description": "Value to only increment hits on the mapping rules owner by the same id. ", + "type": "integer" + }, + "url": { + "type": "string" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "combine_op": { + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace_path": { + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path", + "type": "string" + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rewrite_url_captures": [ + { + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ], + "name": "URL Rewriting with Captures", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "transformations": { + "items": { + "properties": { + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "keycloak_role_check": [ + { + "summary": "Adds role check with Keycloak.", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ], + "name": "RH-SSO/Keycloak Role Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "type": { + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ], + "default": "whitelist", + "description": "Type of the role check" + }, + "scopes": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + }, + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "realm_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "properties": { + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "name": { + "description": "Name of the role", + "type": "string" + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "client": { + "description": "Client of the role.", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Client roles" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "liquid_context_debug": [ + { + "name": "Liquid Context Debug", + "summary": "Inspects the available liquid context.", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + }, + { + "version": "builtin", + "name": "upstream" + }, + { + "version": "builtin", + "name": "routing" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "conditional": [ + { + "summary": "Executes a policy chain conditionally.", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ], + "name": "Conditional Policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "required": [ + "condition" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit": [ + { + "summary": "Adds rate limit.", + "description": [ + "This policy adds rate limit." + ], + "name": "Edge Limiting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "error_handling": { + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "description": "How to handle an error", + "default": "exit", + "type": "string" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + }, + "key": { + "type": "object", + "properties": { + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "type": "string", + "default": "service", + "description": "Scope of the key" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + }, + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "default": "plain", + "type": "string" + } + }, + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + } + }, + "properties": { + "connection_limiters": { + "items": { + "properties": { + "condition": { + "$ref": "#/definitions/condition" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 429, + "description": "The status code when requests over the limit" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "configuration_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 500, + "description": "The status code when there is some configuration issue" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "fixed_window_limiters": { + "items": { + "properties": { + "window": { + "exclusiveMinimum": 0, + "type": "integer", + "default": 1, + "description": "The time window in seconds before the request count is reset" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + }, + "type": "array" + }, + "leaky_bucket_limiters": { + "items": { + "properties": { + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + } + }, + "type": "object" + }, + "type": "array" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "oauth_mtls": [ + { + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/draft-ietf-oauth-mtls-12) for every API call." + ], + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "apicast": [ + { + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ], + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_referrer": [ + { + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "description": "Sends the 'Referer' to 3scale backend for validation.", + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "http_proxy": [ + { + "summary": "Adds an HTTP proxy to the service.", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "name": "Proxy Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "maintenance_mode": [ + { + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "description": [ + "A policy which allows you reject incoming requests with a specified status code and message.", + "It's useful for maintenance periods or to temporarily block an API." + ], + "name": "Maintenance Mode", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "message_content_type": { + "type": "string", + "default": "text/plain; charset=utf-8", + "description": "Content-Type header for the response" + }, + "status": { + "type": "integer", + "default": 503, + "description": "HTTP status code to return" + }, + "message": { + "type": "string", + "default": "Service Unavailable - Maintenance", + "description": "HTTP response to return" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "echo": [ + { + "summary": "Prints the request back to the client and optionally sets a status code.", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ], + "name": "Echo", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "tls": [ + { + "summary": "Configure TLS termination certificates", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ], + "name": "TLS Termination", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "certificates": { + "items": { + "anyOf": [ + { + "properties": { + "certificate_path": { + "title": "Path to the certificate", + "type": "string" + }, + "certificate_key_path": { + "title": "Path to the certificate private key", + "type": "string" + } + }, + "title": "Embedded certificate", + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "properties": { + "certificate_key": { + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "title": "PEM formatted certificate private key", + "type": "string", + "format": "data-url" + }, + "certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate", + "type": "string", + "format": "data-url" + } + }, + "title": "Certificate from local filesystem", + "required": [ + "certificate", + "certificate_key" + ] + } + ], + "type": "object" + }, + "title": "TLS certificates", + "type": "array", + "description": "The first valid certificate is going to be served to the client." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "url_rewriting": [ + { + "summary": "Allows to modify the path of a request.", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ], + "name": "URL Rewriting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "query_args_commands": { + "required": [ + "op", + "arg", + "value" + ], + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value" + } + }, + "type": "object" + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + } + }, + "required": [ + "op", + "regex", + "replace" + ], + "type": "object" + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "ip_check": [ + { + "summary": "Accepts or denies a request based on the IP.", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ], + "name": "IP Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "error_msg": { + "description": "", + "default": "IP address not allowed", + "type": "string" + }, + "client_ip_sources": { + "maxItems": 3, + "minItems": 1, + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "default": [ + "last_caller" + ], + "type": "array" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + } + }, + "required": [ + "ips", + "check_type" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "tls_validation": [ + { + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ], + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "$id": "#/definitions/certificate", + "type": "object" + } + }, + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted." + } + }, + "type": "object" + }, + "version": "builtin" + } + ] + } +} diff --git a/doc/policies_list/3.9.0/policies.json b/doc/policies_list/3.9.0/policies.json new file mode 100644 index 000000000..eeb723eb7 --- /dev/null +++ b/doc/policies_list/3.9.0/policies.json @@ -0,0 +1,2613 @@ +{ + "policies": { + "token_introspection": [ + { + "summary": "Configures OAuth 2.0 Token Introspection.", + "description": [ + "This policy executes OAuth 2.0 Token Introspection ", + "(https://tools.ietf.org/html/rfc7662) for every API call." + ], + "name": "OAuth 2.0 Token Introspection", + "$schema": "http://apicast.io/poolicy-v1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "max_ttl_tokens": { + "maximum": 3600, + "minimum": 1, + "description": "Max TTL for cached tokens", + "type": "integer" + }, + "max_cached_tokens": { + "maximum": 10000, + "minimum": 0, + "description": "Max number of tokens to cache", + "type": "integer" + }, + "auth_type": { + "type": "string", + "default": "client_id+client_secret", + "enum": [ + "use_3scale_oidc_issuer_endpoint", + "client_id+client_secret" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "properties": { + "auth_type": { + "describe": "Use the Client credentials and the Token Introspection Endpoint from the OpenID Connect Issuer setting.", + "enum": [ + "use_3scale_oidc_issuer_endpoint" + ] + } + } + }, + { + "required": [ + "client_id", + "client_secret", + "introspection_url" + ], + "properties": { + "introspection_url": { + "type": "string", + "description": "Introspection Endpoint URL" + }, + "client_id": { + "type": "string", + "description": "Client ID for the Token Introspection Endpoint" + }, + "auth_type": { + "describe": "Specify the Token Introspection Endpoint, Client ID, and Client Secret.", + "enum": [ + "client_id+client_secret" + ] + }, + "client_secret": { + "type": "string", + "description": "Client Secret for the Token Introspection Endpoint" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "content_caching": [ + { + "summary": "Option to enable content caching on responses.", + "description": [ + "With this policy a new way to enable caching in APICast is enabled based on any Liquid filter operation" + ], + "name": "Content caching", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "rule": { + "title": "Rule", + "required": [ + "cache" + ], + "properties": { + "header": { + "description": "Header name to return with the cache status (HIT, MISS,EXPIRED)", + "title": "Header name ", + "default": "X-Cache-Status", + "type": "string" + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "title": "Combine operation", + "default": "and", + "type": "string" + } + }, + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "type": "object" + }, + "cache": { + "title": "Enable cache if match", + "default": false, + "type": "boolean" + } + }, + "$id": "#/definitions/rule", + "type": "object" + } + }, + "properties": { + "rules": { + "title": "Rules", + "items": { + "$ref": "#/definitions/rule" + }, + "minItems": 1, + "description": "Rules to enable/disable caching", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream": [ + { + "name": "Upstream", + "summary": "Allows to modify the upstream URL of the request based on its path.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of the request based on its path. ", + "It accepts regular expressions and, when matched against the request path, ", + "replaces the upstream URL with a given string. \n", + "When combined with the APIcast policy, the upstream policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "rules": { + "items": { + "properties": { + "url": { + "type": "string", + "description": "New URL in case of match" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + } + }, + "required": [ + "regex", + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rewrite_url_captures": [ + { + "summary": "Captures arguments in a URL and rewrites the URL using them.", + "description": [ + "Captures arguments in a URL and rewrites the URL using these arguments. ", + "For example, we can specify a matching rule with arguments like ", + "'/{orderId}/{accountId}' and a template that specifies how to rewrite ", + "the URL using those arguments. Example: ", + "'/sales/v2/{orderId}?account={accountId}'; in this case, the request ", + "'/123/456' will be transformed into '/sales/v2/123?account=456'" + ], + "name": "URL Rewriting with Captures", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "transformations": { + "items": { + "properties": { + "match_rule": { + "description": "Rule to be matched", + "type": "string" + }, + "template": { + "description": "Template in which the matched args are replaced", + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream_mtls": [ + { + "summary": "Certificates to be used with the upstream API", + "description": "With this policy a new TLS connection with the upstream API will be used with the certificates set in the config", + "name": "Upstream Mutual TLS", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "title": "Upstream MTLS", + "dependencies": { + "certificate_type": { + "oneOf": [ + { + "properties": { + "certificate_type": { + "const": "embedded" + }, + "certificate": { + "title": "Certificate", + "type": "string", + "format": "data-url" + } + } + }, + { + "properties": { + "certificate_type": { + "const": "path" + }, + "certificate": { + "type": "string", + "title": "Certificate" + } + } + } + ] + }, + "certificate_key_type": { + "oneOf": [ + { + "properties": { + "certificate_key_type": { + "const": "embedded" + }, + "certificate_key": { + "title": "Certificate Key", + "type": "string", + "format": "data-url" + } + } + }, + { + "properties": { + "certificate_key_type": { + "const": "path" + }, + "certificate_key": { + "type": "string", + "title": "Certificate Key" + } + } + } + ] + } + }, + "required": [ + "certificate_type", + "certificate_key_type" + ], + "properties": { + "certificate_type": { + "enum": [ + "path", + "embedded" + ], + "title": "Certificate type", + "default": "path", + "type": "string" + }, + "certificate_key_type": { + "enum": [ + "path", + "embedded" + ], + "title": "Certificate key type", + "default": "path", + "type": "string" + } + }, + "description": "Built-in Upstream MTLS APIcast policy", + "type": "object" + }, + "version": "builtin" + } + ], + "custom_metrics": [ + { + "name": "Custom Metrics", + "summary": "Custom metrics on Nginx post actions ", + "description": [ + "With this policy, on post_actions the Authrep call will report any new ", + "metric if one of the conditions match. The main use case for this is to ", + "report any metric based on response headers, status codes, or any other ", + "liquid exposed variable." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "custom_metrics_rule": { + "properties": { + "increment": { + "description": "How many hits should be incremented, liquid value ", + "title": "Increment ", + "default": "1", + "type": "string" + }, + "metric": { + "description": "Metric name to increment in case of condition match (liquid input)", + "title": "Metric to increment ", + "default": "", + "type": "string" + }, + "condition": { + "properties": { + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + }, + "combine_op": { + "enum": [ + "and", + "or" + ], + "title": "Combine operation", + "default": "and", + "type": "string" + } + }, + "title": "Condition", + "required": [ + "combine_op", + "operations" + ], + "type": "object" + } + }, + "type": "object", + "required": [ + "metric", + "condition", + "increment" + ] + } + }, + "properties": { + "rules": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/custom_metrics_rule" + } + } + } + }, + "version": "builtin" + } + ], + "logging": [ + { + "summary": "Controls logging.", + "description": [ + "Controls logging. It allows to enable and disable access logs per ", + "service. Also it allows to have a custom access logs format per service" + ], + "name": "Logging", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "type": "string" + } + }, + "properties": { + "condition": { + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare match field with the provided value", + "type": "string" + }, + "match": { + "type": "string", + "description": "String to get request information to match" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "match_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'match' value" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved match" + } + }, + "required": [ + "op", + "match", + "match_type", + "value", + "value_type" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "enable_access_logs": { + "type": "boolean", + "description": "Whether to enable access logs for the service" + }, + "custom_logging": { + "title": "Custom logging format", + "type": "string", + "description": "A string variable that uses liquid templating to render a custom access log entry. All Nginx variables can be used plus per service entries" + }, + "enable_json_logs": { + "type": "boolean", + "description": "To enable logs in json format. Custom logging format will be disabled" + }, + "json_object_config": { + "items": { + "properties": { + "value": { + "type": "string", + "description": "String to get request information" + }, + "key": { + "type": "string", + "description": "Key for the the json object" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "caching": [ + { + "summary": "Controls how to cache authorizations returned by the 3scale backend.", + "description": [ + "Configures a cache for the authentication calls against the 3scale ", + "backend. This policy supports four kinds of caching: \n", + " - Strict: it only caches authorized calls. Denied and failed calls ", + "invalidate the cache entry.\n", + " - Resilient: caches authorized and denied calls. Failed calls do not ", + "invalidate the cache. This allows APIcast to authorize and deny calls ", + "according to the result of the last request made even when backend is ", + "down.\n", + "- Allow: caches authorized and denied calls. When backend is ", + "unavailable, it will cache an authorization. In practice, this means ", + "that when backend is down _any_ request will be authorized unless last ", + "call to backend for that request returned 'deny' (status code = 4xx). ", + "Make sure to understand the implications of this Caching mode before ", + "using it. \n", + "- None: disables caching." + ], + "name": "3scale Auth Caching", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "caching_type": { + "description": "Caching mode", + "oneOf": [ + { + "title": "Strict: cache only authorized calls.", + "enum": [ + "strict" + ] + }, + { + "title": "Resilient: authorize according to last request when backend is down.", + "enum": [ + "resilient" + ] + }, + { + "title": "Allow: when backend is down, allow everything unless seen before and denied.", + "enum": [ + "allow" + ] + }, + { + "title": "None: disable caching.", + "enum": [ + "none" + ] + } + ], + "default": "none", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "upstream_connection": [ + { + "summary": "Allows to configure several options for the connections to the upstream", + "description": "Allows to configure several options for the connections to the upstream", + "name": "Upstream Connection", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "send_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive write operations (in seconds).", + "type": "number" + }, + "connect_timeout": { + "type": "integer", + "description": "Timeout for establishing a connection (in seconds)." + }, + "read_timeout": { + "exclusiveMinimum": 0, + "description": "Timeout between two successive read operations (in seconds).", + "type": "number" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "tls": [ + { + "summary": "Configure TLS termination certificates", + "description": [ + "Configure APIcast to serve TLS certificates for HTTPS connections." + ], + "name": "TLS Termination", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "certificates": { + "items": { + "anyOf": [ + { + "properties": { + "certificate_path": { + "title": "Path to the certificate", + "type": "string" + }, + "certificate_key_path": { + "title": "Path to the certificate private key", + "type": "string" + } + }, + "title": "Embedded certificate", + "required": [ + "certificate_path", + "certificate_key_path" + ] + }, + { + "properties": { + "certificate_key": { + "description": "Private key including the -----BEGIN * PRIVATE KEY----- and -----END * PRIVATE KEY -----", + "title": "PEM formatted certificate private key", + "type": "string", + "format": "data-url" + }, + "certificate": { + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "title": "PEM formatted certificate", + "type": "string", + "format": "data-url" + } + }, + "title": "Certificate from local filesystem", + "required": [ + "certificate", + "certificate_key" + ] + } + ], + "type": "object" + }, + "title": "TLS certificates", + "type": "array", + "description": "The first valid certificate is going to be served to the client." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "oauth_mtls": [ + { + "summary": "Configure OAuth 2.0 Mutual TLS Client Authentication.", + "description": [ + "This policy executes OAuth 2.0 Mutual TLS Client Authentication ", + "(https://tools.ietf.org/html/rfc8705) for every API call." + ], + "name": "OAuth 2.0 Mutual TLS Client Authentication", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "apicast": [ + { + "summary": "Main functionality of APIcast to work with the 3scale API manager.", + "description": [ + "Main functionality of APIcast to work with the 3scale API ", + "manager. This includes matching of mapping rules, authorization, ", + "reporting, etc." + ], + "name": "3scale APIcast", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "tls_validation": [ + { + "summary": "Validate certificates provided by the client during TLS handshake (HTTPS).", + "description": [ + "Validate client certificates against individual certificates and CA certificates." + ], + "name": "TLS Client Certificate Validation", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "store": { + "items": { + "$ref": "#/definitions/certificate" + }, + "$id": "#/definitions/store", + "type": "array" + }, + "certificate": { + "properties": { + "pem_certificate": { + "title": "PEM formatted certificate", + "description": "Certificate including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----", + "type": "string" + } + }, + "$id": "#/definitions/certificate", + "type": "object" + } + }, + "properties": { + "whitelist": { + "$ref": "#/definitions/store", + "title": "Certificate Whitelist", + "description": "Individual certificates and CA certificates to be whitelisted." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "maintenance_mode": [ + { + "summary": "Rejects incoming requests. Useful for maintenance periods.", + "description": [ + "A policy which allows you reject incoming requests with a specified status code and message.", + "It's useful for maintenance periods or to temporarily block an API." + ], + "name": "Maintenance Mode", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "message_content_type": { + "type": "string", + "default": "text/plain; charset=utf-8", + "description": "Content-Type header for the response" + }, + "status": { + "type": "integer", + "default": 503, + "description": "HTTP status code to return" + }, + "message": { + "type": "string", + "default": "Service Unavailable - Maintenance", + "description": "HTTP response to return" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "routing": [ + { + "name": "Routing", + "summary": "Allows to modify the upstream URL of the request.", + "description": [ + "This policy allows to modify the upstream URL (scheme, host and port) of ", + "the request based on its path, its query arguments, a header, or a JWT ", + "claim. \n", + "When combined with the APIcast policy, the routing policy should be ", + "placed before it in the policy chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "dependencies": { + "match": { + "oneOf": [ + { + "required": [ + "header_name" + ], + "properties": { + "header_name": { + "type": "string" + }, + "match": { + "enum": [ + "header" + ] + } + } + }, + { + "required": [ + "query_arg_name" + ], + "properties": { + "query_arg_name": { + "type": "string" + }, + "match": { + "enum": [ + "query_arg" + ] + } + } + }, + { + "required": [ + "jwt_claim_name" + ], + "properties": { + "jwt_claim_name": { + "type": "string" + }, + "match": { + "enum": [ + "jwt_claim" + ] + } + } + }, + { + "required": [ + "liquid_value" + ], + "properties": { + "liquid_value": { + "type": "string" + }, + "match": { + "enum": [ + "liquid" + ] + } + } + }, + { + "properties": { + "match": { + "enum": [ + "path" + ] + } + } + } + ] + } + }, + "required": [ + "match", + "op", + "value" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "type": "string" + }, + "value": { + "type": "string" + }, + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'type'", + "default": "plain", + "type": "string" + }, + "match": { + "enum": [ + "path", + "header", + "query_arg", + "jwt_claim", + "liquid" + ], + "type": "string" + } + }, + "$id": "#/definitions/operation", + "type": "object" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "owner_id": { + "description": "Value to only increment hits on the mapping rules owner by the same id. ", + "type": "integer" + }, + "url": { + "type": "string" + }, + "host_header": { + "type": "string", + "description": "Host for the Host header. When not specified, defaults to the host of the URL." + }, + "condition": { + "properties": { + "combine_op": { + "description": "With 'and', the condition will be true only when all the operations evaluate to true. With 'or', the condition will be true when at least one operation evaluates to true.", + "enum": [ + "and", + "or" + ], + "default": "and", + "type": "string" + }, + "operations": { + "items": { + "$ref": "#/definitions/operation" + }, + "type": "array" + } + }, + "type": "object" + }, + "replace_path": { + "description": "Liquid filter to modify the request path to the matched Upstream URL. When no specified, keep the original path", + "type": "string" + } + }, + "required": [ + "url" + ], + "type": "object" + }, + "description": "List of rules to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "ip_check": [ + { + "summary": "Accepts or denies a request based on the IP.", + "description": [ + "Accepts or denies requests according to a whitelist or a blacklist of ", + "IPs. \n", + "In the configuration, both single IPs (like 172.18.0.1) and CIDR ", + "ranges (like 172.18.0.0/16) can be used." + ], + "name": "IP Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "error_msg": { + "description": "", + "default": "IP address not allowed", + "type": "string" + }, + "client_ip_sources": { + "maxItems": 3, + "minItems": 1, + "items": { + "anyOf": [ + { + "title": "Get the IP from the X-Forwarded-For header (first IP of the list)", + "enum": [ + "X-Forwarded-For" + ] + }, + { + "title": "Get the IP from the X-Real-IP header", + "enum": [ + "X-Real-IP" + ] + }, + { + "title": "Use the IP of the last caller", + "enum": [ + "last_caller" + ] + } + ], + "type": "string" + }, + "description": "Specifies how to get the client IP and in which order the options are tried", + "default": [ + "last_caller" + ], + "type": "array" + }, + "ips": { + "items": { + "type": "string" + }, + "description": "List of IPs", + "type": "array" + }, + "check_type": { + "oneOf": [ + { + "title": "Block the IPs included in the list", + "enum": [ + "blacklist" + ] + }, + { + "title": "Allow only the IPs included in the list", + "enum": [ + "whitelist" + ] + } + ], + "description": "The type of check to apply", + "type": "string" + } + }, + "required": [ + "ips", + "check_type" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "websocket": [ + { + "summary": "Allows websocket connection pass through.", + "description": [ + "A policy which allows Websocket traffic for the service" + ], + "name": "Websocket", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit_headers": [ + { + "summary": "Set rate limit headers on response", + "description": [ + "This policy implements the `RateLimit Header Fields for HTTP` draft in ", + "responses." + ], + "name": "Rate Limits Headers", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": {}, + "version": "builtin" + } + ], + "camel": [ + { + "summary": "Adds an Camel proxy to the service.", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "name": "Camel Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "retry": [ + { + "summary": "Allows to retry requests to the upstream", + "description": "Allows to retry requests to the upstream", + "name": "Retry", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "retries": { + "maximum": 10, + "minimum": 1, + "description": "Number of retries", + "type": "integer" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "default_credentials": [ + { + "name": "Anonymous Access", + "summary": "Provides default credentials for unauthenticated requests.", + "description": [ + "This policy allows service exposure without authentication. \n", + "It can be useful, for example, for legacy apps that cannot be adapted to ", + "send the auth params. \n", + "When the credentials are not provided in the request, this policy ", + "provides the default ones configured. \n", + "You need to configure a user_key; or, the combination of app_id + app_key. \n", + "Note: this policy should be placed before the APIcast policy in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "required": [ + "auth_type" + ], + "properties": { + "auth_type": { + "type": "string", + "default": "user_key", + "enum": [ + "user_key", + "app_id_and_app_key" + ] + } + }, + "dependencies": { + "auth_type": { + "oneOf": [ + { + "required": [ + "user_key" + ], + "properties": { + "auth_type": { + "enum": [ + "user_key" + ] + }, + "user_key": { + "type": "string" + } + } + }, + { + "required": [ + "app_id", + "app_key" + ], + "properties": { + "app_key": { + "type": "string" + }, + "auth_type": { + "enum": [ + "app_id_and_app_key" + ] + }, + "app_id": { + "type": "string" + } + } + } + ] + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "grpc": [ + { + "summary": "Main functionality to enable HTTP2 endpoint reply.", + "description": [ + "To enable full HTTP2 traffic from the user to the final endpoint " + ], + "name": "HTTP2 Endpoint", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "soap": [ + { + "summary": "Adds support for a small subset of SOAP.", + "description": [ + "This policy adds support for a very small subset of SOAP. \n", + "It expects a SOAP action URI in the SOAPAction header or the Content-Type ", + "header. The SOAPAction header is used in v1.1 of the SOAP standard: ", + "https://www.w3.org/TR/2000/NOTE-SOAP-20000508/#_Toc478383528 , whereas ", + "the Content-Type header is used in v1.2 of the SOAP standard: ", + "https://www.w3.org/TR/soap12-part2/#ActionFeature \n", + "The SOAPAction URI is matched against the mapping rules defined in the ", + "policy and calculates a usage based on that so it can be authorized and ", + "reported against 3scale's backend." + ], + "name": "SOAP", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "mapping_rules": { + "items": { + "properties": { + "delta": { + "type": "integer", + "description": "Value." + }, + "metric_system_name": { + "type": "string", + "description": "Metric." + }, + "pattern": { + "type": "string", + "description": "Pattern to match against the request." + } + }, + "required": [ + "pattern", + "metric_system_name", + "delta" + ], + "type": "object" + }, + "description": "Mapping rules.", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "liquid_context_debug": [ + { + "name": "Liquid Context Debug", + "summary": "Inspects the available liquid context.", + "description": [ + "This is a policy intended only for debugging purposes. This policy ", + "returns the context available when evaluating liquid. Any policy can ", + "modify the context that is shared between policies and that context is ", + "available when evaluating liquid. However, documenting what is available ", + "is not possible because policies can add any arbitrary field. Users who ", + "want to develop a policy can use this one to know the context available ", + "in their configuration. ", + "When combined with the APIcast policy or the upstream one, this policy ", + "needs to be placed before them in the chain in order to work correctly. ", + "Note: This policy only returns duplicated objects once to avoid circular ", + "references." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + }, + { + "version": "builtin", + "name": "upstream" + }, + { + "version": "builtin", + "name": "routing" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_batcher": [ + { + "summary": "Caches auths from 3scale backend and batches reports.", + "description": [ + "This policy caches authorizations from the 3scale backend ", + "and reports them in batches. This is more efficient than authorizing ", + "and reporting on each request at the expense of losing accuracy in the ", + "rate limits." + ], + "name": "3scale Batcher", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "batch_report_seconds": { + "type": "integer", + "description": "Duration (in seconds) for batching reports" + }, + "auths_ttl": { + "type": "integer", + "description": "TTL for cached auths in seconds" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "rate_limit": [ + { + "summary": "Adds rate limit.", + "description": [ + "This policy adds rate limit." + ], + "name": "Edge Limiting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "error_handling": { + "$id": "#/definitions/error_handling", + "oneOf": [ + { + "description": "Respond with an error", + "enum": [ + "exit" + ] + }, + { + "description": "Let the request go through and only output logs", + "enum": [ + "log" + ] + } + ], + "description": "How to handle an error", + "default": "exit", + "type": "string" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 0, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + }, + "key": { + "type": "object", + "properties": { + "scope": { + "oneOf": [ + { + "description": "Global scope, affecting to all services", + "enum": [ + "global" + ] + }, + { + "description": "Service scope, affecting to one service", + "enum": [ + "service" + ] + } + ], + "type": "string", + "default": "service", + "description": "Scope of the key" + }, + "name": { + "description": "The name of the key, must be unique in the scope", + "type": "string" + }, + "name_type": { + "oneOf": [ + { + "title": "Evaluate 'name' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'name' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'name'", + "default": "plain", + "type": "string" + } + }, + "$id": "#/definitions/key", + "description": "The key corresponding to the limiter object" + }, + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Operation to apply. The matches op supports PCRE (Perl compatible regular expressions)", + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + } + }, + "properties": { + "connection_limiters": { + "items": { + "properties": { + "condition": { + "$ref": "#/definitions/condition" + }, + "conn": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The maximum number of concurrent requests allowed" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive concurrent requests (or connections) allowed to be delayed" + }, + "key": { + "$ref": "#/definitions/key" + }, + "delay": { + "exclusiveMinimum": 0, + "type": "number", + "description": "The default processing latency of a typical connection (or request)" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits_exceeded_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 429, + "description": "The status code when requests over the limit" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "configuration_error": { + "properties": { + "status_code": { + "type": "integer", + "default": 500, + "description": "The status code when there is some configuration issue" + }, + "error_handling": { + "$ref": "#/definitions/error_handling" + } + }, + "type": "object" + }, + "fixed_window_limiters": { + "items": { + "properties": { + "window": { + "type": "integer", + "minimum": 0, + "default": 1, + "description": "The time window in seconds before the request count is reset" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "count": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified number of requests threshold" + } + }, + "type": "object", + "required": [ + "key", + "count", + "window" + ] + }, + "type": "array" + }, + "leaky_bucket_limiters": { + "items": { + "properties": { + "rate": { + "exclusiveMinimum": 0, + "type": "integer", + "description": "The specified request rate (number per second) threshold" + }, + "condition": { + "$ref": "#/definitions/condition" + }, + "key": { + "$ref": "#/definitions/key" + }, + "burst": { + "minimum": 0, + "type": "integer", + "description": "The number of excessive requests per second allowed to be delayed" + } + }, + "type": "object" + }, + "type": "array" + }, + "redis_url": { + "type": "string", + "description": "URL of Redis" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "headers": [ + { + "summary": "Allows to include custom headers.", + "description": [ + "This policy allows to include custom headers that will be sent to the ", + "upstream as well as modify or delete the ones included in the original ", + "request. Similarly, this policy also allows to add, modify, and delete ", + "the headers included in the response." + ], + "name": "Header Modification", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing header.", + "enum": [ + "add" + ] + }, + { + "title": "Create the header when not set, replace its value when set.", + "enum": [ + "set" + ] + }, + { + "title": "Create the header when not set, add the value when set.", + "enum": [ + "push" + ] + }, + { + "title": "Delete a header.", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to be applied", + "type": "string" + }, + "header": { + "type": "string", + "description": "Header to be modified" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value that will be added, set or pushed in the header. Not needed when deleting." + } + }, + "required": [ + "op", + "header" + ], + "type": "object" + }, + "description": "List of operations to apply to the headers", + "type": "array" + } + }, + "properties": { + "response": { + "$ref": "#/definitions/commands" + }, + "request": { + "$ref": "#/definitions/commands" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "cors": [ + { + "name": "CORS Request Handling", + "summary": "Enables CORS (Cross Origin Resource Sharing) request handling.", + "description": [ + "This policy enables Cross Origin Resource Sharing (CORS) request ", + "handling. It allows to define CORS headers such as ", + "Access-Control-Allow-Headers, Access-Control-Allow-Methods, etc. \n", + "When combined with the APIcast policy, the CORS policy should be ", + "placed before it in the chain." + ], + "order": { + "before": [ + { + "version": "builtin", + "name": "apicast" + } + ] + }, + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "allow_headers": { + "items": { + "type": "string" + }, + "description": "Allowed headers", + "type": "array" + }, + "allow_credentials": { + "type": "boolean", + "description": "Whether the request can be made using credentials" + }, + "allow_methods": { + "items": { + "enum": [ + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "type": "array" + }, + "allow_origin": { + "type": "string", + "description": "Origin allowed for CORS requests. The field expects only one origin (e.g. https://example.com) or '*'. If left blank, the value of the 'Origin' request header will be used." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "http_proxy": [ + { + "summary": "Adds an HTTP proxy to the service.", + "description": [ + "With this policy all the traffic for this service will be routed accross ", + "the defined proxy" + ], + "name": "Proxy Service", + "$schema": "http://apicast.io/policy-v1/schema#manifest#", + "configuration": { + "properties": { + "https_proxy": { + "type": "string", + "description": "Defines a HTTPS proxy to be used for connecting to HTTPS services. Authentication is not supported" + }, + "http_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to HTTP services. Authentication is not supported" + }, + "all_proxy": { + "type": "string", + "description": "Defines a HTTP proxy to be used for connecting to services if a protocol-specific proxy is not specified. Authentication is not supported." + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "conditional": [ + { + "summary": "Executes a policy chain conditionally.", + "description": [ + "Evaluates a condition, and when it's true, it calls its policy chain. ", + "This policy cannot be configured from the 3scale Admin Portal." + ], + "name": "Conditional Policy [Tech preview]", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "operation": { + "required": [ + "left", + "op", + "right" + ], + "properties": { + "op": { + "enum": [ + "==", + "!=" + ], + "type": "string" + }, + "right": { + "type": "string" + }, + "left_type": { + "oneOf": [ + { + "title": "Evaluate 'left' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'left' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'left'", + "default": "plain", + "type": "string" + }, + "left": { + "type": "string" + }, + "right_type": { + "oneOf": [ + { + "title": "Evaluate 'right' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'right' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "description": "How to evaluate 'right'", + "default": "plain", + "type": "string" + } + }, + "type": "object", + "$id": "#/definitions/operation" + }, + "condition": { + "description": "Condition to be evaluated", + "properties": { + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "operations": { + "minItems": 1, + "type": "array", + "items": { + "$ref": "#/definitions/operation" + } + } + }, + "$id": "#/definitions/condition", + "type": "object" + } + }, + "properties": { + "policy_chain": { + "items": { + "type": "object" + }, + "description": "The policy chain to execute when the condition is true", + "type": "array" + }, + "condition": { + "$ref": "#/definitions/condition" + } + }, + "required": [ + "condition" + ], + "type": "object" + }, + "version": "builtin" + } + ], + "echo": [ + { + "summary": "Prints the request back to the client and optionally sets a status code.", + "description": [ + "This policy prints the request back to the client and optionally sets ", + "a status code." + ], + "name": "Echo", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": { + "status": { + "type": "integer", + "description": "HTTP status code to be returned" + }, + "exit": { + "oneOf": [ + { + "title": "Interrupt the processing of the request.", + "enum": [ + "request" + ] + }, + { + "title": "Skip only the rewrite phase.", + "enum": [ + "phase" + ] + } + ], + "description": "Exit mode", + "type": "string" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "3scale_referrer": [ + { + "summary": "Sends the 'Referer' to 3scale backend so it can be validated.", + "description": "Sends the 'Referer' to 3scale backend for validation.", + "name": "3scale Referrer", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "properties": {}, + "type": "object" + }, + "version": "builtin" + } + ], + "url_rewriting": [ + { + "summary": "Allows to modify the path of a request.", + "description": [ + "This policy allows to modify the path of a request. ", + "The operations supported are sub and gsub based on ngx.re.sub and ", + "ngx.re.gsub provided by OpenResty. Please check ", + "https://github.com/openresty/lua-nginx-module for more details on how ", + "to define regular expressions and learn the options supported. \n", + "When combined with the APIcast policy, if the URL rewriting policy is ", + "placed before it in the chain, the APIcast mapping rules will apply to the ", + "modified path. If the URL rewriting policy is placed after APIcast in the ", + "chain, then the mapping rules will apply to the original path." + ], + "name": "URL Rewriting", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "methods": { + "items": { + "oneOf": [ + { + "title": "GET", + "enum": [ + "GET" + ] + }, + { + "title": "POST", + "enum": [ + "POST" + ] + }, + { + "title": "PUT", + "enum": [ + "PUT" + ] + }, + { + "title": "PATCH", + "enum": [ + "PATCH" + ] + }, + { + "title": "DELETE", + "enum": [ + "DELETE" + ] + }, + { + "title": "HEAD", + "enum": [ + "HEAD" + ] + }, + { + "title": "OPTIONS", + "enum": [ + "OPTIONS" + ] + } + ], + "type": "string" + }, + "type": "array", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods", + "$id": "#/definitions/methods" + } + }, + "properties": { + "query_args_commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Add a value to an existing argument", + "enum": [ + "add" + ] + }, + { + "title": "Create the arg when not set, replace its value when set", + "enum": [ + "set" + ] + }, + { + "title": "Create the arg when not set, add the value when set", + "enum": [ + "push" + ] + }, + { + "title": "Delete an arg", + "enum": [ + "delete" + ] + } + ], + "description": "Operation to apply to the query argument", + "type": "string" + }, + "arg": { + "type": "string", + "description": "Query argument" + }, + "methods": { + "$ref": "#/definitions/methods", + "description": "Array of HTTP methods this rule must be applied to. If left blank it will be applied to all HTTP methods" + }, + "value_type": { + "description": "How to evaluate 'value'", + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "default": "plain", + "type": "string" + }, + "value": { + "type": "string", + "description": "Value" + } + }, + "required": [ + "op", + "arg" + ], + "type": "object" + }, + "description": "List of commands to apply to the query string args", + "type": "array" + }, + "commands": { + "items": { + "properties": { + "op": { + "oneOf": [ + { + "title": "Substitute the first match of the regex applied.", + "enum": [ + "sub" + ] + }, + { + "title": "Substitute all the matches of the regex applied.", + "enum": [ + "gsub" + ] + } + ], + "description": "Operation to be applied (sub or gsub)", + "type": "string" + }, + "methods": { + "$ref": "#/definitions/methods" + }, + "regex": { + "type": "string", + "description": "Regular expression to be matched" + }, + "break": { + "type": "boolean", + "description": "when set to true, if the command rewrote the URL, it will be the last one applied" + }, + "replace": { + "type": "string", + "description": "String that will replace what is matched by the regex" + }, + "options": { + "type": "string", + "description": "Options that define how the regex matching is performed" + } + }, + "required": [ + "op", + "regex", + "replace" + ], + "type": "object" + }, + "description": "List of rewriting commands to be applied", + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "jwt_claim_check": [ + { + "summary": "Allow or deny traffic based on a JWT claim", + "description": [ + "This Policy allow to block traffic based on a JWT token.", + "To verify any JWT claim can be used and can be compared ", + "using plain or liquid filters." + ], + "name": "JWT Claim Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "rules": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource' field" + }, + "operations": { + "items": { + "properties": { + "op": { + "enum": [ + "==", + "!=", + "matches" + ], + "description": "Match operation to compare JWT claim with the provided value. In case that a not a number is in use in numeric comparison, the value will be transformed to 0.", + "type": "string" + }, + "jwt_claim_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'jwt_claim' value" + }, + "jwt_claim": { + "type": "string", + "description": "String to get JWT claim" + }, + "value_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'value' field" + }, + "value": { + "type": "string", + "description": "Value to compare the retrieved JWT claim" + } + }, + "required": [ + "jwt_claim", + "jwt_claim_type", + "op", + "value" + ], + "type": "object" + }, + "description": "Operations to perform the condition", + "type": "array" + }, + "combine_op": { + "type": "string", + "default": "and", + "enum": [ + "and", + "or" + ] + }, + "resource": { + "description": "Resource controlled by the rule. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + } + }, + "required": [ + "resource" + ] + }, + "type": "array" + }, + "error_message": { + "title": "Error message", + "type": "string", + "description": "Error message to show to user when traffic is blocked" + } + }, + "type": "object" + }, + "version": "builtin" + } + ], + "keycloak_role_check": [ + { + "summary": "Adds role check with Keycloak.", + "description": [ + "This policy adds role check with Keycloak.\n", + "This policy verifies realm roles and client roles in the access token." + ], + "name": "RH-SSO/Keycloak Role Check", + "$schema": "http://apicast.io/policy-v1.1/schema#manifest#", + "configuration": { + "definitions": { + "value_type": { + "oneOf": [ + { + "title": "Evaluate 'value' as plain text.", + "enum": [ + "plain" + ] + }, + { + "title": "Evaluate 'value' as liquid.", + "enum": [ + "liquid" + ] + } + ], + "$id": "#/definitions/value_type", + "type": "string" + } + }, + "properties": { + "type": { + "type": "string", + "enum": [ + "whitelist", + "blacklist" + ], + "default": "whitelist", + "description": "Type of the role check" + }, + "scopes": { + "items": { + "properties": { + "resource_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'resource'" + }, + "methods": { + "items": { + "enum": [ + "ANY", + "GET", + "HEAD", + "POST", + "PUT", + "DELETE", + "PATCH", + "OPTIONS", + "TRACE", + "CONNECT" + ], + "type": "string" + }, + "description": "Allowed methods", + "default": [ + "ANY" + ], + "type": "array" + }, + "resource": { + "description": "Resource controlled by role. This is the same format as Mapping Rules. This matches from the beginning of the string and to make an exact match you need to use '$' at the end.", + "type": "string" + }, + "realm_roles": { + "items": { + "properties": { + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "name": { + "description": "Name of the role", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Realm roles" + }, + "client_roles": { + "items": { + "properties": { + "client_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'client'" + }, + "name": { + "description": "Name of the role", + "type": "string" + }, + "name_type": { + "$ref": "#/definitions/value_type", + "description": "How to evaluate 'name'" + }, + "client": { + "description": "Client of the role.", + "type": "string" + } + }, + "type": "object" + }, + "type": "array", + "description": "Client roles" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "version": "builtin" + } + ] + } +}