Documentation
¶
Overview ¶
Package rule implements management capabilities for rules
A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server. A rule must define the HTTP methods and the URL under which it will apply. A URL may not have more than one rule. If a URL has no rule applied, the proxy server will return a 404 not found error.
ORY Oathkeeper stores as many rules as required and iterates through them on every request. Rules are essential to the way ORY Oathkeeper works.
Index ¶
- func ValidateRule(enabledAuthenticators []string, availableAuthenticators []string, ...) func(r *Rule) error
- type CachedMatcher
- type HTTPMatcher
- type Handler
- func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- func (h *Handler) List(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
- func (h *Handler) SetRoutes(r *httprouter.Router)
- func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
- type Manager
- type Matcher
- type MemoryManager
- type Refresher
- type Rule
- type RuleHandler
- type RuleMatch
- type SQLManager
- func (s *SQLManager) CreateRule(rule *Rule) error
- func (s *SQLManager) CreateSchemas() (int, error)
- func (s *SQLManager) DeleteRule(id string) error
- func (s *SQLManager) GetRule(id string) (*Rule, error)
- func (s *SQLManager) ListRules(limit, offset int) ([]Rule, error)
- func (s *SQLManager) UpdateRule(rule *Rule) error
- type Upstream
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type CachedMatcher ¶
func NewCachedMatcher ¶ added in v0.15.0
func NewCachedMatcher(m Manager) *CachedMatcher
func (*CachedMatcher) Refresh ¶
func (m *CachedMatcher) Refresh() error
type HTTPMatcher ¶ added in v0.15.0
type HTTPMatcher struct {
*CachedMatcher
// contains filtered or unexported fields
}
func NewHTTPMatcher ¶ added in v0.15.0
func NewHTTPMatcher(u *url.URL) *HTTPMatcher
func (*HTTPMatcher) Refresh ¶ added in v0.15.0
func (m *HTTPMatcher) Refresh() error
type Handler ¶
func NewHandler ¶ added in v0.15.0
func (*Handler) Create ¶
func (h *Handler) Create(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route POST /rules rule createRule
Create a rule ¶
This method allows creation of rules. If a rule id exists, you will receive an error.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 201: rule 401: genericError 403: genericError 500: genericError
func (*Handler) Delete ¶
func (h *Handler) Delete(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route DELETE /rules/{id} rule deleteRule
Delete a rule ¶
Use this endpoint to delete a rule.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 204: emptyResponse 401: genericError 403: genericError 404: genericError 500: genericError
func (*Handler) Get ¶
func (h *Handler) Get(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route GET /rules/{id} rule getRule
Retrieve a rule ¶
Use this method to retrieve a rule from the storage. If it does not exist you will receive a 404 error.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: rule 401: genericError 403: genericError 404: genericError 500: genericError
func (*Handler) List ¶
func (h *Handler) List(w http.ResponseWriter, r *http.Request, _ httprouter.Params)
swagger:route GET /rules rule listRules
List all rules ¶
This method returns an array of all rules that are stored in the backend. This is useful if you want to get a full view of what rules you have currently in place.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: rules 401: genericError 403: genericError 500: genericError
func (*Handler) SetRoutes ¶
func (h *Handler) SetRoutes(r *httprouter.Router)
func (*Handler) Update ¶
func (h *Handler) Update(w http.ResponseWriter, r *http.Request, ps httprouter.Params)
swagger:route PUT /rules/{id} rule updateRule
Update a rule ¶
Use this method to update a rule. Keep in mind that you need to send the full rule payload as this endpoint does not support patching.
Consumes: - application/json Produces: - application/json Schemes: http, https Responses: 200: rule 401: genericError 403: genericError 404: genericError 500: genericError
type MemoryManager ¶
func NewMemoryManager ¶
func NewMemoryManager() *MemoryManager
func (*MemoryManager) CreateRule ¶
func (m *MemoryManager) CreateRule(rule *Rule) error
func (*MemoryManager) DeleteRule ¶
func (m *MemoryManager) DeleteRule(id string) error
func (*MemoryManager) ListRules ¶
func (m *MemoryManager) ListRules(limit, offset int) ([]Rule, error)
func (*MemoryManager) UpdateRule ¶
func (m *MemoryManager) UpdateRule(rule *Rule) error
type Rule ¶
type Rule struct {
// ID is the unique id of the rule. It can be at most 190 characters long, but the layout of the ID is up to you.
// You will need this ID later on to update or delete the rule.
ID string `json:"id" db:"surrogate_id"`
// Description is a human readable description of this rule.
Description string `json:"description" db:"description"`
// Match defines the URL that this rule should match.
Match RuleMatch `json:"match" db:"match"`
// Authenticators is a list of authentication handlers that will try and authenticate the provided credentials.
// Authenticators are checked iteratively from index 0 to n and if the first authenticator to return a positive
// result will be the one used.
//
// If you want the rule to first check a specific authenticator before "falling back" to others, have that authenticator
// as the first item in the array.
Authenticators []RuleHandler `json:"authenticators" db:"authenticators"`
// Authorizer is the authorization handler which will try to authorize the subject (authenticated using an Authenticator)
// making the request.
Authorizer RuleHandler `json:"authorizer" db:"authorizer"`
// CredentialsIssuer is the handler which will issue the credentials which will be used when ORY Oathkeeper
// forwards a granted request to the upstream server.
CredentialsIssuer RuleHandler `json:"credentials_issuer" db:"credentials_issuer"`
// Upstream is the location of the server where requests matching this rule should be forwarded to.
Upstream Upstream `json:"upstream" db:"upstream"`
}
Rule is a single rule that will get checked on every HTTP request.
type RuleHandler ¶ added in v0.15.0
type RuleHandler struct {
// Handler identifies the implementation which will be used to handle this specific request. Please read the user
// guide for a complete list of available handlers.
Handler string `json:"handler" db:"handler"`
// Config contains the configuration for the handler. Please read the user
// guide for a complete list of each handler's available settings.
Config json.RawMessage `json:"config" db:"config"`
}
type RuleMatch ¶ added in v0.15.0
type RuleMatch struct {
// An array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...). When ORY Oathkeeper searches for rules
// to decide what to do with an incoming request to the proxy server, it compares the HTTP method of the incoming
// request with the HTTP methods of each rules. If a match is found, the rule is considered a partial match.
// If the matchesUrl field is satisfied as well, the rule is considered a full match.
Methods []string `json:"methods" db:"methods"`
// This field represents the URL pattern this rule matches. When ORY Oathkeeper searches for rules
// to decide what to do with an incoming request to the proxy server, it compares the full request URL
// (e.g. https://mydomain.com/api/resource) without query parameters of the incoming
// request with this field. If a match is found, the rule is considered a partial match.
// If the matchesMethods field is satisfied as well, the rule is considered a full match.
//
// You can use regular expressions in this field to match more than one url. Regular expressions are encapsulated in
// brackets < and >. The following example matches all paths of the domain `mydomain.com`: `https://mydomain.com/<.*>`.
URL string `json:"url" db:"url"`
// contains filtered or unexported fields
}
type SQLManager ¶
type SQLManager struct {
// contains filtered or unexported fields
}
func NewSQLManager ¶
func NewSQLManager(db *sqlx.DB) *SQLManager
func (*SQLManager) CreateRule ¶
func (s *SQLManager) CreateRule(rule *Rule) error
func (*SQLManager) CreateSchemas ¶
func (s *SQLManager) CreateSchemas() (int, error)
func (*SQLManager) DeleteRule ¶
func (s *SQLManager) DeleteRule(id string) error
func (*SQLManager) UpdateRule ¶
func (s *SQLManager) UpdateRule(rule *Rule) error
type Upstream ¶ added in v0.15.0
type Upstream struct {
// PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the
// hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so.
PreserveHost bool `json:"preserve_host"`
// StripPath if set, replaces the provided path prefix when forwarding the requested URL to the upstream URL.
StripPath string `json:"strip_path"`
// URL is the URL the request will be proxied to.
URL string `json:"url"`
}
Source Files
Click to show internal directories.
Click to hide internal directories.