Skip to content

Commit

Permalink
generate schema and validate example for new header cert auth plugin (#…
Browse files Browse the repository at this point in the history 
…46)
  • Loading branch information
@lena-larionova
lena-larionova authored Aug 14, 2024
1 parent 4b8dc94 commit 8299940
Show file tree
Hide file tree
Showing 2 changed files with 236 additions and 0 deletions.
7 changes: 7 additions & 0 deletions examples/header-cert-auth/_3.8.x.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
name: header-cert-auth
config:
ca_certificates:
- "0D769DE8-7CC0-4541-989B-F9C23E20054C"
certificate_header_name: ssl-client-cert
certificate_header_format: base64_encoded
secure_source: false
229 changes: 229 additions & 0 deletions schemas/header-cert-auth/3.8.x.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,229 @@
{
"fields": [
{
"consumer": {
"reference": "consumers",
"type": "foreign",
"description": "Custom type for representing a foreign key with a null value allowed.",
"eq": null
}
},
{
"protocols": {
"required": true,
"elements": {
"one_of": [
"grpc",
"grpcs",
"http",
"https"
],
"type": "string"
},
"type": "set",
"default": [
"grpc",
"grpcs",
"http",
"https"
],
"description": "A set of strings representing HTTP protocols."
}
},
{
"consumer_group": {
"reference": "consumer_groups",
"type": "foreign",
"eq": null,
"description": "Custom type for representing a foreign key with a null value allowed."
}
},
{
"config": {
"entity_checks": [
{
"mutually_required": [
"http_proxy_host",
"http_proxy_port"
]
},
{
"mutually_required": [
"https_proxy_host",
"https_proxy_port"
]
}
],
"type": "record",
"fields": [
{
"certificate_header_name": {
"type": "string",
"required": true,
"description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy."
}
},
{
"certificate_header_format": {
"type": "string",
"required": true,
"one_of": [
"base64_encoded",
"url_encoded"
],
"description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`."
}
},
{
"secure_source": {
"required": true,
"type": "boolean",
"default": true,
"description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option)."
}
},
{
"anonymous": {
"type": "string",
"description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`."
}
},
{
"consumer_by": {
"type": "array",
"elements": {
"one_of": [
"username",
"custom_id"
],
"type": "string"
},
"required": false,
"default": [
"username",
"custom_id"
],
"description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled."
}
},
{
"ca_certificates": {
"description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).",
"required": true,
"type": "array",
"elements": {
"uuid": true,
"type": "string"
}
}
},
{
"cache_ttl": {
"type": "number",
"required": true,
"default": 60,
"description": "Cache expiry time in seconds."
}
},
{
"skip_consumer_lookup": {
"type": "boolean",
"required": true,
"default": false,
"description": "Skip consumer lookup once certificate is trusted against the configured CA list."
}
},
{
"allow_partial_chain": {
"type": "boolean",
"required": true,
"default": false,
"description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates."
}
},
{
"authenticated_group_by": {
"required": false,
"one_of": [
"CN",
"DN"
],
"type": "string",
"default": "CN",
"description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users."
}
},
{
"revocation_check_mode": {
"required": false,
"one_of": [
"SKIP",
"IGNORE_CA_ERROR",
"STRICT"
],
"type": "string",
"default": "IGNORE_CA_ERROR",
"description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status."
}
},
{
"http_timeout": {
"type": "number",
"default": 30000,
"description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL."
}
},
{
"cert_cache_ttl": {
"type": "number",
"default": 60000,
"description": "The length of time in milliseconds between refreshes of the revocation check status cache."
}
},
{
"default_consumer": {
"type": "string",
"description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`."
}
},
{
"http_proxy_host": {
"description": "A string representing a host name, such as example.com.",
"type": "string"
}
},
{
"http_proxy_port": {
"type": "integer",
"between": [
0,
65535
],
"description": "An integer representing a port number between 0 and 65535, inclusive."
}
},
{
"https_proxy_host": {
"description": "A string representing a host name, such as example.com.",
"type": "string"
}
},
{
"https_proxy_port": {
"type": "integer",
"between": [
0,
65535
],
"description": "An integer representing a port number between 0 and 65535, inclusive."
}
}
],
"required": true
}
}
],
"entity_checks": [

]
}

0 comments on commit 8299940

Please sign in to comment.