From 8299940f01b860bc18b80ead4dda918c60dbaba2 Mon Sep 17 00:00:00 2001 From: lena-larionova <54370747+lena-larionova@users.noreply.github.com> Date: Wed, 14 Aug 2024 13:58:32 -0700 Subject: [PATCH] generate schema and validate example for new header cert auth plugin (#46) --- examples/header-cert-auth/_3.8.x.yaml | 7 + schemas/header-cert-auth/3.8.x.json | 229 ++++++++++++++++++++++++++ 2 files changed, 236 insertions(+) create mode 100644 examples/header-cert-auth/_3.8.x.yaml create mode 100644 schemas/header-cert-auth/3.8.x.json diff --git a/examples/header-cert-auth/_3.8.x.yaml b/examples/header-cert-auth/_3.8.x.yaml new file mode 100644 index 00000000..0bbd7799 --- /dev/null +++ b/examples/header-cert-auth/_3.8.x.yaml @@ -0,0 +1,7 @@ +name: header-cert-auth +config: + ca_certificates: + - "0D769DE8-7CC0-4541-989B-F9C23E20054C" + certificate_header_name: ssl-client-cert + certificate_header_format: base64_encoded + secure_source: false \ No newline at end of file diff --git a/schemas/header-cert-auth/3.8.x.json b/schemas/header-cert-auth/3.8.x.json new file mode 100644 index 00000000..edd98ff6 --- /dev/null +++ b/schemas/header-cert-auth/3.8.x.json @@ -0,0 +1,229 @@ +{ + "fields": [ + { + "consumer": { + "reference": "consumers", + "type": "foreign", + "description": "Custom type for representing a foreign key with a null value allowed.", + "eq": null + } + }, + { + "protocols": { + "required": true, + "elements": { + "one_of": [ + "grpc", + "grpcs", + "http", + "https" + ], + "type": "string" + }, + "type": "set", + "default": [ + "grpc", + "grpcs", + "http", + "https" + ], + "description": "A set of strings representing HTTP protocols." + } + }, + { + "consumer_group": { + "reference": "consumer_groups", + "type": "foreign", + "eq": null, + "description": "Custom type for representing a foreign key with a null value allowed." + } + }, + { + "config": { + "entity_checks": [ + { + "mutually_required": [ + "http_proxy_host", + "http_proxy_port" + ] + }, + { + "mutually_required": [ + "https_proxy_host", + "https_proxy_port" + ] + } + ], + "type": "record", + "fields": [ + { + "certificate_header_name": { + "type": "string", + "required": true, + "description": "Name of the header that contains the certificate, received from the WAF or other L7 downstream proxy." + } + }, + { + "certificate_header_format": { + "type": "string", + "required": true, + "one_of": [ + "base64_encoded", + "url_encoded" + ], + "description": "Format of the certificate header. Supported formats: `base64_encoded`, `url_encoded`." + } + }, + { + "secure_source": { + "required": true, + "type": "boolean", + "default": true, + "description": "Whether to secure the source of the request. If set to `true`, the plugin will only allow requests from trusted IPs (configured by the `trusted_ips` config option)." + } + }, + { + "anonymous": { + "type": "string", + "description": "An optional string (consumer UUID or username) value to use as an “anonymous” consumer if authentication fails. If empty (default null), the request fails with an authentication failure `4xx`. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "consumer_by": { + "type": "array", + "elements": { + "one_of": [ + "username", + "custom_id" + ], + "type": "string" + }, + "required": false, + "default": [ + "username", + "custom_id" + ], + "description": "Whether to match the subject name of the client-supplied certificate against consumer's `username` and/or `custom_id` attribute. If set to `[]` (the empty array), then auto-matching is disabled." + } + }, + { + "ca_certificates": { + "description": "List of CA Certificates strings to use as Certificate Authorities (CA) when validating a client certificate. At least one is required but you can specify as many as needed. The value of this array is comprised of primary keys (`id`).", + "required": true, + "type": "array", + "elements": { + "uuid": true, + "type": "string" + } + } + }, + { + "cache_ttl": { + "type": "number", + "required": true, + "default": 60, + "description": "Cache expiry time in seconds." + } + }, + { + "skip_consumer_lookup": { + "type": "boolean", + "required": true, + "default": false, + "description": "Skip consumer lookup once certificate is trusted against the configured CA list." + } + }, + { + "allow_partial_chain": { + "type": "boolean", + "required": true, + "default": false, + "description": "Allow certificate verification with only an intermediate certificate. When this is enabled, you don't need to upload the full chain to Kong Certificates." + } + }, + { + "authenticated_group_by": { + "required": false, + "one_of": [ + "CN", + "DN" + ], + "type": "string", + "default": "CN", + "description": "Certificate property to use as the authenticated group. Valid values are `CN` (Common Name) or `DN` (Distinguished Name). Once `skip_consumer_lookup` is applied, any client with a valid certificate can access the Service/API. To restrict usage to only some of the authenticated users, also add the ACL plugin (not covered here) and create allowed or denied groups of users." + } + }, + { + "revocation_check_mode": { + "required": false, + "one_of": [ + "SKIP", + "IGNORE_CA_ERROR", + "STRICT" + ], + "type": "string", + "default": "IGNORE_CA_ERROR", + "description": "Controls client certificate revocation check behavior. If set to `SKIP`, no revocation check is performed. If set to `IGNORE_CA_ERROR`, the plugin respects the revocation status when either OCSP or CRL URL is set, and doesn't fail on network issues. If set to `STRICT`, the plugin only treats the certificate as valid when it's able to verify the revocation status." + } + }, + { + "http_timeout": { + "type": "number", + "default": 30000, + "description": "HTTP timeout threshold in milliseconds when communicating with the OCSP server or downloading CRL." + } + }, + { + "cert_cache_ttl": { + "type": "number", + "default": 60000, + "description": "The length of time in milliseconds between refreshes of the revocation check status cache." + } + }, + { + "default_consumer": { + "type": "string", + "description": "The UUID or username of the consumer to use when a trusted client certificate is presented but no consumer matches. Note that this value must refer to the consumer `id` or `username` attribute, and **not** its `custom_id`." + } + }, + { + "http_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "http_proxy_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + }, + { + "https_proxy_host": { + "description": "A string representing a host name, such as example.com.", + "type": "string" + } + }, + { + "https_proxy_port": { + "type": "integer", + "between": [ + 0, + 65535 + ], + "description": "An integer representing a port number between 0 and 65535, inclusive." + } + } + ], + "required": true + } + } + ], + "entity_checks": [ + + ] +} \ No newline at end of file