rule

package
v0.40.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 13, 2024 License: Apache-2.0 Imports: 42 Imported by: 16

Documentation

Overview

Package rule implements management capabilities for rules

A rule is used to decide what to do with requests that are hitting the ORY Oathkeeper proxy server. A rule must define the HTTP methods and the URL under which it will apply. A URL may not have more than one rule. If a URL has no rule applied, the proxy server will return a 404 not found error.

ORY Oathkeeper stores as many rules as required and iterates through them on every request. Rules are essential to the way ORY Oathkeeper works.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrUnbalancedPattern       = errors.New("unbalanced pattern")
	ErrMethodNotImplemented    = errors.New("the method is not implemented")
	ErrUnknownMatchingStrategy = errors.New("unknown matching strategy")
)

common errors for MatchingEngine.

Functions

This section is empty.

Types

type ErrorHandler added in v0.39.0

type ErrorHandler struct {
	// Handler identifies the implementation which will be used to handle this specific request. Please read the user
	// guide for a complete list of available handlers.
	Handler string `json:"handler"`

	// Config defines additional configuration for the response handler.
	Config json.RawMessage `json:"config"`
}

type Fetcher added in v0.39.0

type Fetcher interface {
	Watch(ctx context.Context) error
}

type FetcherDefault added in v0.39.0

type FetcherDefault struct {
	// contains filtered or unexported fields
}

func NewFetcherDefault added in v0.39.0

func NewFetcherDefault(
	config configuration.Provider,
	registry fetcherRegistry,
) *FetcherDefault

func (*FetcherDefault) SetURLMux added in v0.40.1

func (f *FetcherDefault) SetURLMux(mux *blob.URLMux)

func (*FetcherDefault) Watch added in v0.39.0

func (f *FetcherDefault) Watch(ctx context.Context) error

type Handler

type Handler struct {
	// Handler identifies the implementation which will be used to handle this specific request. Please read the user
	// guide for a complete list of available handlers.
	Handler string `json:"handler"`

	// Config contains the configuration for the handler. Please read the user
	// guide for a complete list of each handler's available settings.
	Config json.RawMessage `json:"config"`
}

type Match added in v0.39.0

type Match struct {
	// An array of HTTP methods (e.g. GET, POST, PUT, DELETE, ...). When ORY Oathkeeper searches for rules
	// to decide what to do with an incoming request to the proxy server, it compares the HTTP method of the incoming
	// request with the HTTP methods of each rules. If a match is found, the rule is considered a partial match.
	// If the matchesUrl field is satisfied as well, the rule is considered a full match.
	Methods []string `json:"methods"`

	// This field represents the URL pattern this rule matches. When ORY Oathkeeper searches for rules
	// to decide what to do with an incoming request to the proxy server, it compares the full request URL
	// (e.g. https://mydomain.com/api/resource) without query parameters of the incoming
	// request with this field. If a match is found, the rule is considered a partial match.
	// If the matchesMethods field is satisfied as well, the rule is considered a full match.
	//
	// You can use regular expressions or glob patterns in this field to match more than one url.
	// The matching strategy is determined by configuration parameter MatchingStrategy.
	// Regular expressions and glob patterns are encapsulated in brackets < and >.
	// The following regexp example matches all paths of the domain `mydomain.com`: `https://mydomain.com/<.*>`.
	// The glob equivalent of the above regexp example is `https://mydomain.com/<*>`.
	URL string `json:"url"`
}

func (*Match) GetMethods added in v0.40.0

func (m *Match) GetMethods() []string

func (*Match) GetURL added in v0.40.0

func (m *Match) GetURL() string

func (*Match) Protocol added in v0.40.0

func (m *Match) Protocol() Protocol

type MatchGRPC added in v0.40.0

type MatchGRPC struct {
	Authority  string `json:"authority"`
	FullMethod string `json:"full_method"`
}

func (*MatchGRPC) GetMethods added in v0.40.0

func (m *MatchGRPC) GetMethods() []string

func (*MatchGRPC) GetURL added in v0.40.0

func (m *MatchGRPC) GetURL() string

func (*MatchGRPC) Protocol added in v0.40.0

func (m *MatchGRPC) Protocol() Protocol

type Matcher

type Matcher interface {
	Match(ctx context.Context, method string, u *url.URL, protocol Protocol) (*Rule, error)
}

type MatchingEngine added in v0.39.0

type MatchingEngine interface {
	IsMatching(pattern, matchAgainst string) (bool, error)
	ReplaceAllString(pattern, input, replacement string) (string, error)
	FindStringSubmatch(pattern, matchAgainst string) ([]string, error)
	Checksum() uint64
}

MatchingEngine describes an interface of matching engine such as regexp or glob.

type OnErrorRequest added in v0.39.0

type OnErrorRequest struct {
	// ContentType defines the content type(s) that should match. Wildcards such as `application/*` are supported.
	ContentType []string `json:"content_type"`

	// Accept defines the accept header that should match. Wildcards such as `application/*` are supported.
	Accept []string `json:"accept"`
}

type Protocol added in v0.40.0

type Protocol int
const (
	ProtocolHTTP Protocol = iota
	ProtocolGRPC
)

type Registry added in v0.39.0

type Registry interface {
	RuleValidator() Validator
	RuleFetcher() Fetcher
	RuleRepository() Repository
	RuleMatcher() Matcher
}

type Repository added in v0.39.0

type Repository interface {
	List(ctx context.Context, limit, offset int) ([]Rule, error)
	Set(context.Context, []Rule) error
	Get(context.Context, string) (*Rule, error)
	Count(context.Context) (int, error)
	MatchingStrategy(context.Context) (configuration.MatchingStrategy, error)
	SetMatchingStrategy(context.Context, configuration.MatchingStrategy) error
	ReadyChecker(*http.Request) error
}

type RepositoryMemory added in v0.39.0

type RepositoryMemory struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func NewRepositoryMemory added in v0.39.0

func NewRepositoryMemory(r repositoryMemoryRegistry) *RepositoryMemory

func (*RepositoryMemory) Count added in v0.39.0

func (m *RepositoryMemory) Count(ctx context.Context) (int, error)

func (*RepositoryMemory) Get added in v0.39.0

func (m *RepositoryMemory) Get(ctx context.Context, id string) (*Rule, error)

func (*RepositoryMemory) List added in v0.39.0

func (m *RepositoryMemory) List(ctx context.Context, limit, offset int) ([]Rule, error)

func (*RepositoryMemory) Match added in v0.39.0

func (m *RepositoryMemory) Match(ctx context.Context, method string, u *url.URL, protocol Protocol) (*Rule, error)

func (*RepositoryMemory) MatchingStrategy added in v0.39.0

MatchingStrategy returns current MatchingStrategy.

func (*RepositoryMemory) ReadyChecker added in v0.40.2

func (m *RepositoryMemory) ReadyChecker(r *http.Request) error

func (*RepositoryMemory) Set added in v0.39.0

func (m *RepositoryMemory) Set(ctx context.Context, rules []Rule) error

func (*RepositoryMemory) SetMatchingStrategy added in v0.39.0

func (m *RepositoryMemory) SetMatchingStrategy(_ context.Context, ms configuration.MatchingStrategy) error

SetMatchingStrategy updates MatchingStrategy.

func (*RepositoryMemory) WithRules added in v0.39.0

func (m *RepositoryMemory) WithRules(rules []Rule)

WithRules sets rules without validation. For testing only.

type Rule

type Rule struct {
	// ID is the unique id of the rule. It can be at most 190 characters long, but the layout of the ID is up to you.
	// You will need this ID later on to update or delete the rule.
	ID string `json:"id"`

	// Version represents the access rule version. Should match one of ORY Oathkeepers release versions. Supported since
	// v0.20.0-beta.1+oryOS.14.
	Version string `json:"version"`

	// Description is a human readable description of this rule.
	Description string `json:"description"`

	// Match defines the URL that this rule should match.
	Match URLProvider `json:"match" faker:"urlProvider"`

	// Authenticators is a list of authentication handlers that will try and authenticate the provided credentials.
	// Authenticators are checked iteratively from index 0 to n and if the first authenticator to return a positive
	// result will be the one used.
	//
	// If you want the rule to first check a specific authenticator  before "falling back" to others, have that authenticator
	// as the first item in the array.
	Authenticators []Handler `json:"authenticators"`

	// Authorizer is the authorization handler which will try to authorize the subject (authenticated using an Authenticator)
	// making the request.
	Authorizer Handler `json:"authorizer"`

	// Mutators is a list of mutation handlers that transform the HTTP request. A common use case is generating a new set
	// of credentials (e.g. JWT) which then will be forwarded to the upstream server.
	//
	// Mutations are performed iteratively from index 0 to n and should all succeed in order for the HTTP request to be forwarded.
	Mutators []Handler `json:"mutators"`

	// Errors is a list of error handlers. These will be invoked if any part of the system returns an error. You can
	// configure error matchers to listen on certain errors (e.g. unauthorized) and execute specific logic (e.g. redirect
	// to the login endpoint, return with an XML error, return a json error, ...).
	Errors []ErrorHandler `json:"errors"`

	// Upstream is the location of the server where requests matching this rule should be forwarded to.
	Upstream Upstream `json:"upstream"`
	// contains filtered or unexported fields
}

Rule is a single rule that will get checked on every HTTP request.

func (*Rule) ExtractRegexGroups added in v0.39.0

func (r *Rule) ExtractRegexGroups(strategy configuration.MatchingStrategy, u *url.URL) ([]string, error)

ExtractRegexGroups returns the values matching the rule pattern

func (*Rule) GetID added in v0.39.0

func (r *Rule) GetID() string

GetID returns the rule's ID.

func (*Rule) IsMatching

func (r *Rule) IsMatching(strategy configuration.MatchingStrategy, method string, u *url.URL, protocol Protocol) (bool, error)

IsMatching checks whether the provided url and method match the rule. An error will be returned if a regexp matching strategy is selected and regexp timeout occurs.

func (*Rule) ReplaceAllString added in v0.39.0

func (r *Rule) ReplaceAllString(strategy configuration.MatchingStrategy, input, replacement string) (string, error)

ReplaceAllString searches the input string and replaces each match (with the rule's pattern) found with the replacement text.

func (*Rule) UnmarshalJSON added in v0.39.0

func (r *Rule) UnmarshalJSON(raw []byte) error

type URLMuxSetter added in v0.40.1

type URLMuxSetter interface {
	SetURLMux(mux *blob.URLMux)
}

type URLProvider added in v0.40.0

type URLProvider interface {
	GetURL() string
	GetMethods() []string
	Protocol() Protocol
}

type Upstream added in v0.15.0

type Upstream struct {
	// PreserveHost, if false (the default), tells ORY Oathkeeper to set the upstream request's Host header to the
	// hostname of the API's upstream's URL. Setting this flag to true instructs ORY Oathkeeper not to do so.
	PreserveHost bool `json:"preserve_host"`

	// StripPath if set, replaces the provided path prefix when forwarding the requested URL to the upstream URL.
	StripPath string `json:"strip_path"`

	// URL is the URL the request will be proxied to.
	URL string `json:"url"`
}

type Validator added in v0.39.0

type Validator interface {
	Validate(r *Rule) error
}

type ValidatorDefault added in v0.39.0

type ValidatorDefault struct {
	// contains filtered or unexported fields
}

func NewValidatorDefault added in v0.39.0

func NewValidatorDefault(r validatorRegistry) *ValidatorDefault

func (*ValidatorDefault) Validate added in v0.39.0

func (v *ValidatorDefault) Validate(r *Rule) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL