Documentation
¶
Overview ¶
Package rule implements management capabilities for rules
A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server. A rule must define the HTTP methods and the URL under which it will apply. A URL may not have more than one rule. If a URL has no rule applied, the proxy server will return a 404 not found error.
ORY Oathkeeper stores as many rules as required and iterates through them on every request. Rules are essential to the way ORY Oathkeeper works.
Index ¶
- Variables
- type ErrorHandler
- type Fetcher
- type FetcherDefault
- type Handler
- type Match
- type MatchGRPC
- type Matcher
- type MatchingEngine
- type OnErrorRequest
- type Protocol
- type Registry
- type Repository
- type RepositoryMemory
- func (m *RepositoryMemory) Count(ctx context.Context) (int, error)
- func (m *RepositoryMemory) Get(ctx context.Context, id string) (*Rule, error)
- func (m *RepositoryMemory) List(ctx context.Context, limit, offset int) ([]Rule, error)
- func (m *RepositoryMemory) Match(ctx context.Context, method string, u *url.URL, protocol Protocol) (*Rule, error)
- func (m *RepositoryMemory) MatchingStrategy(_ context.Context) (configuration.MatchingStrategy, error)
- func (m *RepositoryMemory) ReadyChecker(r *http.Request) error
- func (m *RepositoryMemory) Set(ctx context.Context, rules []Rule) error
- func (m *RepositoryMemory) SetMatchingStrategy(_ context.Context, ms configuration.MatchingStrategy) error
- func (m *RepositoryMemory) WithRules(rules []Rule)
- type Rule
- func (r *Rule) ExtractRegexGroups(strategy configuration.MatchingStrategy, u *url.URL) ([]string, error)
- func (r *Rule) GetID() string
- func (r *Rule) IsMatching(strategy configuration.MatchingStrategy, method string, u *url.URL, ...) (bool, error)
- func (r *Rule) ReplaceAllString(strategy configuration.MatchingStrategy, input, replacement string) (string, error)
- func (r *Rule) UnmarshalJSON(raw []byte) error
- type URLMuxSetter
- type URLProvider
- type Upstream
- type Validator
- type ValidatorDefault
Constants ¶
This section is empty.
Variables ¶
View Source
var ( ErrUnbalancedPattern = errors.New("unbalanced pattern") ErrMethodNotImplemented = errors.New("the method is not implemented") ErrUnknownMatchingStrategy = errors.New("unknown matching strategy") )
common errors for MatchingEngine.
Functions ¶
This section is empty.
Types ¶
type ErrorHandler ¶ added in v0.39.0
type ErrorHandler struct {
// Handler identifies the implementation which will be used to handle this specific request. Please read the user
// guide for a complete list of available handlers.
Handler string `json:"handler"`
// Config defines additional configuration for the response handler.
Config json.RawMessage `json:"config"`
}
type FetcherDefault ¶ added in v0.39.0
type FetcherDefault struct {
// contains filtered or unexported fields
}
func NewFetcherDefault ¶ added in v0.39.0
func NewFetcherDefault( config configuration.Provider, registry fetcherRegistry, ) *FetcherDefault
func (*FetcherDefault) SetURLMux ¶ added in v0.40.1
func (f *FetcherDefault) SetURLMux(mux *blob.URLMux)
type Handler ¶
type Handler struct {
// Handler identifies the implementation which will be used to handle this specific request. Please read the user
// guide for a complete list of available handlers.
Handler string `json:"handler"`
// Config contains the configuration for the handler. Please read the user
// guide for a complete list of each handler's available settings.
Config json.RawMessage `json:"config"`
}
type Match ¶ added in v0.39.0
type Match struct {
// An array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...). When ORY Oathkeeper searches for rules
// to decide what to do with an incoming request to the proxy server, it compares the HTTP method of the incoming
// request with the HTTP methods of each rules. If a match is found, the rule is considered a partial match.
// If the matchesUrl field is satisfied as well, the rule is considered a full match.
Methods []string `json:"methods"`
// This field represents the URL pattern this rule matches. When ORY Oathkeeper searches for rules
// to decide what to do with an incoming request to the proxy server, it compares the full request URL
// (e.g. https://mydomain.com/api/resource) without query parameters of the incoming
// request with this field. If a match is found, the rule is considered a partial match.
// If the matchesMethods field is satisfied as well, the rule is considered a full match.
//
// You can use regular expressions or glob patterns in this field to match more than one url.
// The matching strategy is determined by configuration parameter MatchingStrategy.
// Regular expressions and glob patterns are encapsulated in brackets < and >.
// The following regexp example matches all paths of the domain `mydomain.com`: `https://mydomain.com/<.*>`.
// The glob equivalent of the above regexp example is `https://mydomain.com/<*>`.
URL string `json:"url"`
}
func (*Match) GetMethods ¶ added in v0.40.0
type MatchGRPC ¶ added in v0.40.0
type MatchGRPC struct {
Authority string `json:"authority"`
FullMethod string `json:"full_method"`
}
func (*MatchGRPC) GetMethods ¶ added in v0.40.0
type MatchingEngine ¶ added in v0.39.0
type MatchingEngine interface {
IsMatching(pattern, matchAgainst string) (bool, error)
ReplaceAllString(pattern, input, replacement string) (string, error)
FindStringSubmatch(pattern, matchAgainst string) ([]string, error)
Checksum() uint64
}
MatchingEngine describes an interface of matching engine such as regexp or glob.
type OnErrorRequest ¶ added in v0.39.0
type OnErrorRequest struct {
// ContentType defines the content type(s) that should match. Wildcards such as `application/*` are supported.
ContentType []string `json:"content_type"`
// Accept defines the accept header that should match. Wildcards such as `application/*` are supported.
Accept []string `json:"accept"`
}
type Registry ¶ added in v0.39.0
type Registry interface {
RuleValidator() Validator
RuleFetcher() Fetcher
RuleRepository() Repository
RuleMatcher() Matcher
}
type Repository ¶ added in v0.39.0
type Repository interface {
List(ctx context.Context, limit, offset int) ([]Rule, error)
Set(context.Context, []Rule) error
Get(context.Context, string) (*Rule, error)
Count(context.Context) (int, error)
MatchingStrategy(context.Context) (configuration.MatchingStrategy, error)
SetMatchingStrategy(context.Context, configuration.MatchingStrategy) error
ReadyChecker(*http.Request) error
}
type RepositoryMemory ¶ added in v0.39.0
func NewRepositoryMemory ¶ added in v0.39.0
func NewRepositoryMemory(r repositoryMemoryRegistry) *RepositoryMemory
func (*RepositoryMemory) Count ¶ added in v0.39.0
func (m *RepositoryMemory) Count(ctx context.Context) (int, error)
func (*RepositoryMemory) MatchingStrategy ¶ added in v0.39.0
func (m *RepositoryMemory) MatchingStrategy(_ context.Context) (configuration.MatchingStrategy, error)
MatchingStrategy returns current MatchingStrategy.
func (*RepositoryMemory) ReadyChecker ¶ added in v0.40.2
func (m *RepositoryMemory) ReadyChecker(r *http.Request) error
func (*RepositoryMemory) Set ¶ added in v0.39.0
func (m *RepositoryMemory) Set(ctx context.Context, rules []Rule) error
func (*RepositoryMemory) SetMatchingStrategy ¶ added in v0.39.0
func (m *RepositoryMemory) SetMatchingStrategy(_ context.Context, ms configuration.MatchingStrategy) error
SetMatchingStrategy updates MatchingStrategy.
func (*RepositoryMemory) WithRules ¶ added in v0.39.0
func (m *RepositoryMemory) WithRules(rules []Rule)
WithRules sets rules without validation. For testing only.
type Rule ¶
type Rule struct {
// ID is the unique id of the rule. It can be at most 190 characters long, but the layout of the ID is up to you.
// You will need this ID later on to update or delete the rule.
ID string `json:"id"`
// Version represents the access rule version. Should match one of ORY Oathkeepers release versions. Supported since
// v0.20.0-beta.1+oryOS.14.
Version string `json:"version"`
// Description is a human readable description of this rule.
Description string `json:"description"`
// Match defines the URL that this rule should match.
Match URLProvider `json:"match" faker:"urlProvider"`
// Authenticators is a list of authentication handlers that will try and authenticate the provided credentials.
// Authenticators are checked iteratively from index 0 to n and if the first authenticator to return a positive
// result will be the one used.
//
// If you want the rule to first check a specific authenticator before "falling back" to others, have that authenticator
// as the first item in the array.
Authenticators []Handler `json:"authenticators"`
// Authorizer is the authorization handler which will try to authorize the subject (authenticated using an Authenticator)
// making the request.
Authorizer Handler `json:"authorizer"`
// Mutators is a list of mutation handlers that transform the HTTP request. A common use case is generating a new set
// of credentials (e.g. JWT) which then will be forwarded to the upstream server.
//
// Mutations are performed iteratively from index 0 to n and should all succeed in order for the HTTP request to be forwarded.
Mutators []Handler `json:"mutators"`
// Errors is a list of error handlers. These will be invoked if any part of the system returns an error. You can
// configure error matchers to listen on certain errors (e.g. unauthorized) and execute specific logic (e.g. redirect
// to the login endpoint, return with an XML error, return a json error, ...).
Errors []ErrorHandler `json:"errors"`
// Upstream is the location of the server where requests matching this rule should be forwarded to.
Upstream Upstream `json:"upstream"`
// contains filtered or unexported fields
}
Rule is a single rule that will get checked on every HTTP request.
func (*Rule) ExtractRegexGroups ¶ added in v0.39.0
func (r *Rule) ExtractRegexGroups(strategy configuration.MatchingStrategy, u *url.URL) ([]string, error)
ExtractRegexGroups returns the values matching the rule pattern
func (*Rule) IsMatching ¶
func (r *Rule) IsMatching(strategy configuration.MatchingStrategy, method string, u *url.URL, protocol Protocol) (bool, error)
IsMatching checks whether the provided url and method match the rule. An error will be returned if a regexp matching strategy is selected and regexp timeout occurs.
func (*Rule) ReplaceAllString ¶ added in v0.39.0
func (r *Rule) ReplaceAllString(strategy configuration.MatchingStrategy, input, replacement string) (string, error)
ReplaceAllString searches the input string and replaces each match (with the rule's pattern) found with the replacement text.
func (*Rule) UnmarshalJSON ¶ added in v0.39.0
type URLMuxSetter ¶ added in v0.40.1
type URLProvider ¶ added in v0.40.0
type Upstream ¶ added in v0.15.0
type Upstream struct {
// PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the
// hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so.
PreserveHost bool `json:"preserve_host"`
// StripPath if set, replaces the provided path prefix when forwarding the requested URL to the upstream URL.
StripPath string `json:"strip_path"`
// URL is the URL the request will be proxied to.
URL string `json:"url"`
}
type ValidatorDefault ¶ added in v0.39.0
type ValidatorDefault struct {
// contains filtered or unexported fields
}
func NewValidatorDefault ¶ added in v0.39.0
func NewValidatorDefault(r validatorRegistry) *ValidatorDefault
func (*ValidatorDefault) Validate ¶ added in v0.39.0
func (v *ValidatorDefault) Validate(r *Rule) error
Source Files
Click to show internal directories.
Click to hide internal directories.